Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

General

  • Target

    8.rar

  • Size

    94.9MB

  • Sample

    210728-vxtw2q5y3a

  • MD5

    f6e2e5e7a38bff1204b1db40674ed32e

  • SHA1

    382e84e729a0949da4a993b6e04f6529271e4ca2

  • SHA256

    2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

  • SHA512

    34fff661f1bbaf6340b29306946cb721eb79c9c20d859df32f549d0bb13e22c59cc44097b30ab5d3ad46e0afa95981cffbf6d8a41cea97b8b72c15899b16de9e

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

39.8

Botnet

828

C2

https://xeronxikxxx.tumblr.com/

Attributes
  • profile_id

    828

Extracted

Family

redline

Botnet

zero_5k

C2

86.106.181.209:18845

Extracted

Family

redline

Botnet

727

C2

qumaranero.xyz:80

Extracted

Family

redline

Botnet

sel21

C2

salkefard.xyz:80

Extracted

Family

vidar

Version

39.8

Botnet

865

C2

https://xeronxikxxx.tumblr.com/

Attributes
  • profile_id

    865

Extracted

Family

redline

Botnet

28_7_r

C2

zertypelil.xyz:80

Extracted

Family

redline

Botnet

SewPalpadin

C2

185.215.113.114:8887

Extracted

Family

redline

Botnet

202

C2

ynetellyan.xyz:80

Targets

    • Target

      8 (1).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (10).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (11).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (12).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (13).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (14).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (15).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (16).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (17).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (18).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      8 (19).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (2).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (20).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (21).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (22).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Windows security bypass

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      8 (23).exe

    • Size

      3.0MB

    • MD5

      bb072cad921aa5ce8b97706ce01bc570

    • SHA1

      18bf034906c1341b7817e7361ad27a4425d820bd

    • SHA256

      817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

    • SHA512

      d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M1

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Kelihos.F exe Download 2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar828933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral2

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar727865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral3

redlinesmokeloadervidar865aspackv2backdoordiscoveryevasioninfostealerpersistencestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral4

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral5

gluptebametasploitredlinesmokeloadervidar828aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral6

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r727865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral7

gluptebametasploitredlinesmokeloadertofseevidar202933sewpalpadinaspackv2backdoordropperevasioninfostealerloaderpersistencestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral8

gluptebametasploitredlinesmokeloadersocelarsvidar865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral9

redlinesmokeloadervidar202933sewpalpadinaspackv2backdoordiscoveryinfostealerpersistencespywarestealertrojan
Score
10/10

behavioral10

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r727865933zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral11

gluptebametasploitredlinesmokeloadersocelarstofseevidar828865933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral12

gluptebametasploitraccoonredlinesmokeloadersocelarsvidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral13

redlinesmokeloadervidar28_7_r933sel21zero_5kaspackv2backdoordiscoveryevasioninfostealerpersistencestealersuricatathemidatrojan
Score
10/10

behavioral14

raccoonredlinesmokeloadersocelarsvidar28_7_r933sel21aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral15

raccoonredlinesocelarstofseevidar933sel21zero_5kaspackv2discoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
Score
10/10

behavioral16

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral17

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral18

gluptebametasploitraccoonredlinesmokeloadersocelarsvidar727865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral19

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar865933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral20

gluptebametasploitraccoonredlinesmokeloadersocelarsvidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral21

gluptebametasploitredlinesmokeloadertofseevidar865933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealersuricatathemidatrojan
Score
10/10

behavioral22

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral23

raccoonredlinesmokeloadersocelarstofseevidar28_7_r933zero_5kaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
Score
10/10

behavioral24

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar727933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral25

gluptebametasploitredlinesmokeloadertofseevidar865933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral26

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral27

gluptebametasploitredlinesmokeloadervidar20228_7_r727865933sewpalpadinaspackv2backdoordropperevasioninfostealerloaderpersistencestealersuricatathemidatrojanupx
Score
10/10

behavioral28

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10

behavioral29

redlinesmokeloadervidar202933sewpalpadinaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral30

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupxvmprotect
Score
10/10

behavioral31

gluptebametasploitraccoonredlinesmokeloadersocelarstofseevidar865933aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral32

gluptebametasploitraccoonredlinesmokeloadersocelarsvidar28_7_r865933sel21zero_5kaspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx
Score
10/10