Overview

overview

10

Static

static

10

Mr4X5srRQR...AN.exe

windows10_x64

10

OEmxRS9Uai...jI.exe

windows10_x64

10

OvVYhhgvd6...oB.exe

windows10_x64

9

QKvpJeDIaP...YY.exe

windows10_x64

9

QwnNK2SHck...xe.xml

windows10_x64

1

QxZsdXOO8X...jN.exe

windows10_x64

10

QzUu4XgUxQ...C3.exe

windows10_x64

10

SHSPDO6BYD...j9.exe

windows10_x64

10

SqCuVl85T1...Di.exe

windows10_x64

10

T8Ulrjj8F6..._x.exe

windows10_x64

10

Trj0QcTNVE...S9.exe

windows10_x64

10

Uwc7l02Hzj...tU.exe

windows10_x64

6

VoTrXaqIJ3...LW.exe

windows10_x64

10

Wp77te7Dqj...Hr.exe

windows10_x64

9

XOCYAkm_Nn...Q3.exe

windows10_x64

9

Xd_XnNqsZT...Ai.exe

windows10_x64

10

Xr9ca9oQNQ...Z9.exe

windows10_x64

9

XukfUfK8HA...FI.exe

windows10_x64

8

YPTXDeqMC1...ns.exe

windows10_x64

8

ma_5nZD3yo...xT.exe

windows10_x64

10

pnDF_dk604...fi.exe

windows10_x64

10

q_TzaanAkp...91.exe

windows10_x64

9

rgVakr0Eru...xw.exe

windows10_x64

10

t1fkwFYUEZ...r4.exe

windows10_x64

10

tC6gdsFTgl...3x.exe

windows10_x64

10

tGeiUalbSc...xe.xml

windows10_x64

1

uMWmES83od...kJ.exe

windows10_x64

10

v5n1HuUxta...Iu.exe

windows10_x64

10

wTzxLyAQL7...bA.exe

windows10_x64

6

xiGD01oEkh...VJ.exe

windows10_x64

10

yBqNUgvOW6...Fb.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3malwarefolder.rar

  • Size

    33.0MB

  • Sample

    210823-cn9tqs7c86

  • MD5

    e7c4552ea9e58373f3b1dd76236c0817

  • SHA1

    31269b693b8bb5ece8453ce53390d9fddda455ce

  • SHA256

    909aaea4a3072305c0bcaab9d7b9cab70990305541db276ab8d870e3fbc51a18

  • SHA512

    245dd8d99f9aee193e4323b46cd88ee199b9629a6803f472ef783d63cdd865f3005c5fc69d397d5f3bfe8442be3a89af127a1076034e95f53148260fea641dcc

Score
10/10
gluptebametasploitnetsupportraccoonredlinesmokeloadersocelarstofseevidarxmrig23.08916937995@original_finestallsupdibild2fd34ae8fb78d0554aa7caf12c271e01efb3342f6test 22.08backdoordiscoverydropperevasioninfostealerloaderminerpersistenceratspywarestealersuricatathemidatrojanupx

Malware Config

Extracted

Family

redline

Botnet

23.08

C2

95.181.172.100:55640

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

40.1

Botnet

995

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    995

Extracted

Family

redline

Botnet

dibild2

C2

135.148.139.222:1494

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

fd34ae8fb78d0554aa7caf12c271e01efb3342f6

Attributes
  • url4cnc

    https://telete.in/jinnlitena1

rc4.plain
rc4.plain

Extracted

Family

redline

C2

205.185.119.191:18846

Extracted

Family

vidar

Version

40.1

Botnet

937

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

TEST 22.08

C2

94.103.83.88:65136

Extracted

Family

redline

Botnet

@Original_Finest

C2

159.69.190.155:35975

Extracted

Family

vidar

Version

40.1

Botnet

916

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    916

Extracted

Family

redline

Botnet

allsup

C2

188.124.36.242:25802

Targets

    • Target

      Mr4X5srRQR20TfuVZShfsrAN.exe

    • Size

      321KB

    • MD5

      94c78c311f499024a9f97cfdbb073623

    • SHA1

      50e91d3eaa06d2183bf8c6c411947304421c5626

    • SHA256

      6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

    • SHA512

      29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

    Score
    10/10

    • Suspicious use of NtCreateProcessExOtherParentProcess

    behavioral1

    • Target

      OEmxRS9UaiMPqIKXPz6Ef8jI.exe

    • Size

      589KB

    • MD5

      34c76bcc1506b513c7a1ac605c045c4e

    • SHA1

      271c6b3853e33e039242da7cf8f4465c48e90d2e

    • SHA256

      1e7f2339065e8a6909eea27f090499a1af6427d1563ceac0cd25c916c637d29d

    • SHA512

      cb2170b5fa492dcb7df54cfd7f4ad94214de98face0f1710cbad749c79bf322ea1106ace723520486bdeabdf0aa2eefbf70dcc060d61fcda1124298225c36865

    Score
    10/10
    redline23.08discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      OvVYhhgvd6ZhUony5cRMqVoB.exe

    • Size

      2.4MB

    • MD5

      b15db436045c3f484296acc6cff34a86

    • SHA1

      346ae322b55e14611f10a64f336aaa9ff6fed68c

    • SHA256

      dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193

    • SHA512

      804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

    • Target

      QKvpJeDIaPtXDcwKwH_WmAYY.exe

    • Size

      2.4MB

    • MD5

      a7feb91676ca65d3da71c8ff8798e2ec

    • SHA1

      96b60cacea9e992ae9eef8e159d51e50bb0c7a79

    • SHA256

      844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f

    • SHA512

      d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral4

    • Target

      QwnNK2SHckcc_GsoTwi8hDi5.exe

    • Size

      223B

    • MD5

      a6a676051f857d516f6c4bec595a7cfb

    • SHA1

      10e7c48a109ffbe60fa7ab3585c4bd711942cbd2

    • SHA256

      98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343

    • SHA512

      df302b28e5897bac668ad1ae2b32d2424af7c8cdf4527ac54ea268e6e9fbf41efe28b236af25ceacb5e5acd95b6c99b8cf95fa735687358a265bd59e2b127ba6

    Score
    1/10
    behavioral5

    • Target

      QxZsdXOO8Xn2bW7iW8ff3gjN.exe

    • Size

      317KB

    • MD5

      145bf5658332302310a7fe40ed77783d

    • SHA1

      5370ac46379b8db9d9fca84f21d411687109486f

    • SHA256

      bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3

    • SHA512

      d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776

    Score
    10/10

    • Suspicious use of NtCreateProcessExOtherParentProcess

    behavioral6

    • Target

      QzUu4XgUxQuvhFNx7Nf5D6C3.exe

    • Size

      4.4MB

    • MD5

      7627ef162e039104d830924c3dbdab77

    • SHA1

      e81996dc45106b349cb8c31eafbc2d353dc2f68b

    • SHA256

      37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

    • SHA512

      60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

    Score
    10/10
    gluptebametasploitbackdoordropperloadertrojan

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral7

    • Target

      SHSPDO6BYDV7xlwsZDJxsLj9.exe

    • Size

      317KB

    • MD5

      145bf5658332302310a7fe40ed77783d

    • SHA1

      5370ac46379b8db9d9fca84f21d411687109486f

    • SHA256

      bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3

    • SHA512

      d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776

    Score
    10/10

    • Suspicious use of NtCreateProcessExOtherParentProcess

    behavioral8

    • Target

      SqCuVl85T1P8OuH3gpVMKnDi.exe

    • Size

      599KB

    • MD5

      85d019feb83854aa587fb13a34d1e2e7

    • SHA1

      5af4a2e70f32dc2705d3517260341456249b96b7

    • SHA256

      8acc169eac0f47377ad2a34a4fe277b73431f26cf3b262728bc1a8f17020c3e8

    • SHA512

      aa0baabd8d2533464b1ce752f14adbaf93da91abad85a10bdbef4463f4c260f224deb37ac332221b9e7eee053f58eaca96fe44f679d8d8cbcfb75a04ffaa953d

    Score
    10/10
    vidar995discoveryspywarestealersuricata

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral9

    • Target

      T8Ulrjj8F65YXJ2qZEm11v_x.exe

    • Size

      586KB

    • MD5

      29903569f45cc9979551427cc5d9fd99

    • SHA1

      0487682dd1300b26cea9275a405c8ad3383a1583

    • SHA256

      eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6

    • SHA512

      f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb

    Score
    10/10
    redlinedibild2discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      Trj0QcTNVE3l8SBp_3LNLFS9.exe

    • Size

      4.4MB

    • MD5

      7627ef162e039104d830924c3dbdab77

    • SHA1

      e81996dc45106b349cb8c31eafbc2d353dc2f68b

    • SHA256

      37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5

    • SHA512

      60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1

    Score
    10/10
    gluptebametasploitbackdoordropperloadertrojan

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral11

    • Target

      Uwc7l02HzjEVLDdBFF3ZKItU.exe

    • Size

      900KB

    • MD5

      7714deedb24c3dcfa81dc660dd383492

    • SHA1

      56fae3ab1186009430e175c73b914c77ed714cc0

    • SHA256

      435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

    • SHA512

      2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral12

    • Target

      VoTrXaqIJ3vc2GnUIU6Wi5LW.exe

    • Size

      321KB

    • MD5

      94c78c311f499024a9f97cfdbb073623

    • SHA1

      50e91d3eaa06d2183bf8c6c411947304421c5626

    • SHA256

      6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e

    • SHA512

      29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545

    Score
    10/10

    • Suspicious use of NtCreateProcessExOtherParentProcess

    behavioral13

    • Target

      Wp77te7DqjxTjTIGMDSB0RHr.exe

    • Size

      2.4MB

    • MD5

      161b975933aaae18920d241890000dac

    • SHA1

      1cbbad54762c6301ad9ad2291159b9d2a141c143

    • SHA256

      dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83

    • SHA512

      758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral14

    • Target

      XOCYAkm_NnnfPmgVDNgu9MQ3.exe

    • Size

      5.3MB

    • MD5

      083da7bfea93dcaac5ca4c910c0c9636

    • SHA1

      5d94f9e397441ee8bb733122f9dce827b80f7e96

    • SHA256

      c06817143741717add66241dcd4f1b6ce497c6242d78793a69661b47a3796535

    • SHA512

      067b5940f3c04bbe908e978b735818cc6e46f8a34a6dfffdf63eca062b855d19a83f12e351dcb5da81464981771bb2a717d39bed9abdd96087cf4cd2996b31b5

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15

    • Target

      Xd_XnNqsZTJJf8dCq4s_mlAi.exe

    • Size

      273KB

    • MD5

      ac7f28f999ef6657abc24673642b518a

    • SHA1

      37c701301ba28e8329f7c990a790320d021331a0

    • SHA256

      46d153d7d517ea834af83364c01388f5c4af458c359625244aa7bac158e8bff2

    • SHA512

      d45fe4a99c81d2221ebb4b537a23ac2a64e05defb8c789eb8a716af30685d2ca5963e8caeadcaec74e5ea588311ea59509077f14870193408114b261e7b97370

    Score
    10/10
    raccoonsmokeloaderxmrigfd34ae8fb78d0554aa7caf12c271e01efb3342f6backdoordiscoveryminerpersistencespywarestealertrojanupx

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      Xr9ca9oQNQWbUwEgChRmX6Z9.exe

    • Size

      2.4MB

    • MD5

      161b975933aaae18920d241890000dac

    • SHA1

      1cbbad54762c6301ad9ad2291159b9d2a141c143

    • SHA256

      dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83

    • SHA512

      758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17

    • Target

      XukfUfK8HAbjc5wMknHwOhFI.exe

    • Size

      1.1MB

    • MD5

      3b4348d187f24c82370836531f3fa94e

    • SHA1

      a2ca4e9f4a8d9c8634e42765e90e252803e20b15

    • SHA256

      cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7

    • SHA512

      2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral18

    • Target

      YPTXDeqMC118ip3zHbyxwlns.exe

    • Size

      1.1MB

    • MD5

      3b4348d187f24c82370836531f3fa94e

    • SHA1

      a2ca4e9f4a8d9c8634e42765e90e252803e20b15

    • SHA256

      cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7

    • SHA512

      2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral19

    • Target

      ma_5nZD3yos0uV8jzHnJSVxT.exe

    • Size

      163KB

    • MD5

      ec3921304077e2ac56d2f5060adab3d5

    • SHA1

      923cf378ec34c6d660f88c7916c083bedb9378aa

    • SHA256

      b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

    • SHA512

      3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

    Score
    10/10
    redlinediscoveryinfostealerpersistencespywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral20

    • Target

      pnDF_dk604_fxVsUaLPL1Vfi.exe

    • Size

      599KB

    • MD5

      85d019feb83854aa587fb13a34d1e2e7

    • SHA1

      5af4a2e70f32dc2705d3517260341456249b96b7

    • SHA256

      8acc169eac0f47377ad2a34a4fe277b73431f26cf3b262728bc1a8f17020c3e8

    • SHA512

      aa0baabd8d2533464b1ce752f14adbaf93da91abad85a10bdbef4463f4c260f224deb37ac332221b9e7eee053f58eaca96fe44f679d8d8cbcfb75a04ffaa953d

    Score
    10/10
    vidar995discoveryspywarestealersuricata

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral21

    • Target

      q_TzaanAkp60Doa2Vt025l91.exe

    • Size

      2.5MB

    • MD5

      f4f313d1f82fa87e710bd947a3667384

    • SHA1

      6ac08dd818b3dac502041508399f8c6392668521

    • SHA256

      492f4d8cae0b2cd6105f089b368d322bf6e388a803890f5196d5ccc4ac85bb04

    • SHA512

      97e4af0f46fa9e9b3d5a916af3a50bb6c9ba4df8fd5d63c63764f2a421f0eb04b4d48df2293152dcbe6184ffeb8adb9552d250aaab0e2f95ffdea443a853b59a

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral22

    • Target

      rgVakr0EruC2FtauFmrgXkxw.exe

    • Size

      610KB

    • MD5

      592404767648b0afc3cab6fade2fb7d2

    • SHA1

      bab615526528b498a09d76decbf86691807e7822

    • SHA256

      3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509

    • SHA512

      83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9

    Score
    10/10
    vidar937discoveryspywarestealersuricata

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral23

    • Target

      t1fkwFYUEZVXvf_7oFFpVnr4.exe

    • Size

      163KB

    • MD5

      ec3921304077e2ac56d2f5060adab3d5

    • SHA1

      923cf378ec34c6d660f88c7916c083bedb9378aa

    • SHA256

      b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f

    • SHA512

      3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

    Score
    10/10
    redlinediscoveryinfostealerpersistencespywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral24

    • Target

      tC6gdsFTgl9CBMrK_2QhZX3x.exe

    • Size

      1.0MB

    • MD5

      956c60ba7d7d44f04b4d9ae2db9f723e

    • SHA1

      5b254193558cd413b015cd7efe7633e8712ffcb5

    • SHA256

      318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170

    • SHA512

      e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945

    Score
    10/10
    redlinetest 22.08discoveryinfostealerspywarestealersuricata

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral25

    • Target

      tGeiUalbScQ8sPK2KKmKZNga.exe

    • Size

      223B

    • MD5

      a6a676051f857d516f6c4bec595a7cfb

    • SHA1

      10e7c48a109ffbe60fa7ab3585c4bd711942cbd2

    • SHA256

      98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343

    • SHA512

      df302b28e5897bac668ad1ae2b32d2424af7c8cdf4527ac54ea268e6e9fbf41efe28b236af25ceacb5e5acd95b6c99b8cf95fa735687358a265bd59e2b127ba6

    Score
    1/10
    behavioral26

    • Target

      uMWmES83oduRUCtOU5jzfQkJ.exe

    • Size

      264KB

    • MD5

      c7ccbd62c259a382501ff67408594011

    • SHA1

      c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

    • SHA256

      8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

    • SHA512

      5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

    Score
    10/10
    redlinediscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral27

    • Target

      v5n1HuUxtaYNHT7sRlXCCwIu.exe

    • Size

      927KB

    • MD5

      0e86a231689637b656a0764f2017d22f

    • SHA1

      70954ef5b83a7b0cd9dca4542d63bf3a7dc7ac97

    • SHA256

      3da0e424a6f1268f5682d59be1f83572479c28ca1fb7dab48d0b53220acef66e

    • SHA512

      21a3195665975ba3ec7b042a19b9ce39b5311e7c96070e7a968e7a1f39514a0df3569e39b313529dbb6b948195cd294077fd5b4e8a81e08a38b4ba2d8f6f6f32

    Score
    10/10
    redline@original_finestinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of SetThreadContext

    behavioral28

    • Target

      wTzxLyAQL7H5FI0GIaor5FbA.exe

    • Size

      900KB

    • MD5

      7714deedb24c3dcfa81dc660dd383492

    • SHA1

      56fae3ab1186009430e175c73b914c77ed714cc0

    • SHA256

      435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

    • SHA512

      2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral29

    • Target

      xiGD01oEkhh5s50F0Mw8lPVJ.exe

    • Size

      381KB

    • MD5

      58f5dca577a49a38ea439b3dc7b5f8d6

    • SHA1

      175dc7a597935b1afeb8705bd3d7a556649b06cf

    • SHA256

      857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98

    • SHA512

      3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

    Score
    10/10
    netsupportredlinesocelarstofseevidar916allsupdiscoveryevasioninfostealerpersistenceratspywarestealersuricatatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

      suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

      suricata

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata

    • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral30

    • Target

      yBqNUgvOW6iDky2dKdBCi5Fb.exe

    • Size

      927KB

    • MD5

      0e86a231689637b656a0764f2017d22f

    • SHA1

      70954ef5b83a7b0cd9dca4542d63bf3a7dc7ac97

    • SHA256

      3da0e424a6f1268f5682d59be1f83572479c28ca1fb7dab48d0b53220acef66e

    • SHA512

      21a3195665975ba3ec7b042a19b9ce39b5311e7c96070e7a968e7a1f39514a0df3569e39b313529dbb6b948195cd294077fd5b4e8a81e08a38b4ba2d8f6f6f32

    Score
    10/10
    redline@original_finestinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of SetThreadContext

    behavioral31

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

4
T1060

Modify Existing Service

2
T1031

New Service

1
T1050

Privilege Escalation

New Service

1
T1050

Defense Evasion

Virtualization/Sandbox Evasion

7
T1497

Modify Registry

13
T1112

Install Root Certificate

6
T1130

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

35
T1081

Discovery

System Information Discovery

34
T1082

Query Registry

38
T1012

Virtualization/Sandbox Evasion

7
T1497

Peripheral Device Discovery

3
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

35
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks

static1

themidaredline
Score
10/10

behavioral1

Score
10/10

behavioral2

redline23.08discoveryinfostealerspywarestealer
Score
10/10

behavioral3

discoveryevasionspywarestealerthemidatrojan
Score
9/10

behavioral4

discoveryevasionspywarestealerthemidatrojan
Score
9/10

behavioral5

Score
1/10

behavioral6

Score
10/10

behavioral7

gluptebametasploitbackdoordropperloadertrojan
Score
10/10

behavioral8

Score
10/10

behavioral9

vidar995discoveryspywarestealersuricata
Score
10/10

behavioral10

redlinedibild2discoveryinfostealerspywarestealer
Score
10/10

behavioral11

gluptebametasploitbackdoordropperloadertrojan
Score
10/10

behavioral12

Score
6/10

behavioral13

Score
10/10

behavioral14

discoveryevasionspywarestealerthemidatrojan
Score
9/10

behavioral15

discoveryevasionspywarestealerthemidatrojan
Score
9/10

behavioral16

raccoonsmokeloaderxmrigfd34ae8fb78d0554aa7caf12c271e01efb3342f6backdoordiscoveryminerpersistencespywarestealertrojanupx
Score
10/10

behavioral17

discoveryevasionspywarestealerthemidatrojan
Score
9/10

behavioral18

Score
8/10

behavioral19

Score
8/10

behavioral20

redlinediscoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral21

vidar995discoveryspywarestealersuricata
Score
10/10

behavioral22

discoveryevasionspywarestealerthemidatrojan
Score
9/10

behavioral23

vidar937discoveryspywarestealersuricata
Score
10/10

behavioral24

redlinediscoveryinfostealerpersistencespywarestealer
Score
10/10

behavioral25

redlinetest 22.08discoveryinfostealerspywarestealersuricata
Score
10/10

behavioral26

Score
1/10

behavioral27

redlinediscoveryinfostealerspywarestealer
Score
10/10

behavioral28

redline@original_finestinfostealer
Score
10/10

behavioral29

Score
6/10

behavioral30

netsupportredlinesocelarstofseevidar916allsupdiscoveryevasioninfostealerpersistenceratspywarestealersuricatatrojan
Score
10/10

behavioral31

redline@original_finestinfostealer
Score
10/10