8.rar

General
Target

8.rar

Size

94MB

Sample

210727-158yegh9jn

Score
10 /10
MD5

f6e2e5e7a38bff1204b1db40674ed32e

SHA1

382e84e729a0949da4a993b6e04f6529271e4ca2

SHA256

2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

SHA512

34fff661f1bbaf6340b29306946cb721eb79c9c20d859df32f549d0bb13e22c59cc44097b30ab5d3ad46e0afa95981cffbf6d8a41cea97b8b72c15899b16de9e

Malware Config

Extracted

Family vidar
Version 39.6
Botnet 933
C2

https://sslamlssa1.tumblr.com/

Attributes
profile_id
933

Extracted

Path C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. Do you really want to restore your files? Write to email: udacha123@mail2tor.com telegram @udacha123yes 200$=24 hour Attention !!! in 24 hours the price will increase 3 times(400$) Your personal ID: 155-766-CC0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

udacha123@mail2tor.com

Extracted

Family redline
Botnet zero_5k
C2

86.106.181.209:18845

Extracted

Family redline
Botnet sel21
C2

salkefard.xyz:80

Extracted

Family smokeloader
Version 2020
C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

http://readinglistforjuly1.club/

http://readinglistforjuly2.club/

http://readinglistforjuly3.club/

http://readinglistforjuly4.club/

http://readinglistforjuly5.club/

http://readinglistforjuly6.club/

http://readinglistforjuly7.club/

http://readinglistforjuly8.club/

http://readinglistforjuly9.club/

http://readinglistforjuly10.club/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Path C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. Do you really want to restore your files? Write to email: udacha123@mail2tor.com telegram @udacha123yes 200$=24 hour Attention !!! in 24 hours the price will increase 3 times(400$) Your personal ID: 24E-8AD-FA2 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

udacha123@mail2tor.com

Extracted

Path C:\_readme.txt
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rbzFCkr9sY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: managerhelper@airmail.cc Your personal ID: 0320gDrgouyjQTOBSgXDiJALhsMukZh62JX1m6EZBVPH0E2Wy
Emails

manager@mailtemp.ch

managerhelper@airmail.cc

URLs

https://we.tl/t-rbzFCkr9sY

Extracted

Family redline
Botnet 727
C2

qumaranero.xyz:80

Extracted

Family vidar
Version 39.7
Botnet 517
C2

https://shpak125.tumblr.com/

Attributes
profile_id
517

Extracted

Family vidar
Version 39.8
Botnet 828
C2

https://xeronxikxxx.tumblr.com/

Attributes
profile_id
828

Extracted

Family redline
Botnet SewPalpadin
C2

185.215.113.114:8887

Extracted

Family redline
Botnet 202
C2

ynetellyan.xyz:80

Targets
Target

8 (1).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (10).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (11).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (12).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (13).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Blocklisted process makes network request

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (14).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Blocklisted process makes network request

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (15).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (16).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (17).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    Tags

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

Target

8 (18).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Blocklisted process makes network request

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

Target

8 (19).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (2).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (20).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Blocklisted process makes network request

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (21).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (22).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Buran

    Description

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • suricata: ET MALWARE DTLoader Binary Request M2

    Tags

  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    Tags

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers

    Tags

  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

8 (23).exe

MD5

bb072cad921aa5ce8b97706ce01bc570

Filesize

2MB

Score
10 /10
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd

SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Vidar Stealer

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

Tasks

static1

behavioral18

1/10

behavioral20

1/10

behavioral32

1/10