Overview
overview
10Static
static
10Mr4X5srRQR...AN.exe
windows10_x64
10OEmxRS9Uai...jI.exe
windows10_x64
10OvVYhhgvd6...oB.exe
windows10_x64
9QKvpJeDIaP...YY.exe
windows10_x64
9QwnNK2SHck...xe.xml
windows10_x64
1QxZsdXOO8X...jN.exe
windows10_x64
10QzUu4XgUxQ...C3.exe
windows10_x64
10SHSPDO6BYD...j9.exe
windows10_x64
10SqCuVl85T1...Di.exe
windows10_x64
10T8Ulrjj8F6..._x.exe
windows10_x64
10Trj0QcTNVE...S9.exe
windows10_x64
10Uwc7l02Hzj...tU.exe
windows10_x64
6VoTrXaqIJ3...LW.exe
windows10_x64
10Wp77te7Dqj...Hr.exe
windows10_x64
9XOCYAkm_Nn...Q3.exe
windows10_x64
9Xd_XnNqsZT...Ai.exe
windows10_x64
10Xr9ca9oQNQ...Z9.exe
windows10_x64
9XukfUfK8HA...FI.exe
windows10_x64
8YPTXDeqMC1...ns.exe
windows10_x64
8ma_5nZD3yo...xT.exe
windows10_x64
10pnDF_dk604...fi.exe
windows10_x64
10q_TzaanAkp...91.exe
windows10_x64
9rgVakr0Eru...xw.exe
windows10_x64
10t1fkwFYUEZ...r4.exe
windows10_x64
10tC6gdsFTgl...3x.exe
windows10_x64
10tGeiUalbSc...xe.xml
windows10_x64
1uMWmES83od...kJ.exe
windows10_x64
10v5n1HuUxta...Iu.exe
windows10_x64
10wTzxLyAQL7...bA.exe
windows10_x64
6xiGD01oEkh...VJ.exe
windows10_x64
10yBqNUgvOW6...Fb.exe
windows10_x64
10General
-
Target
3malwarefolder.rar
-
Size
33.0MB
-
Sample
210823-cn9tqs7c86
-
MD5
e7c4552ea9e58373f3b1dd76236c0817
-
SHA1
31269b693b8bb5ece8453ce53390d9fddda455ce
-
SHA256
909aaea4a3072305c0bcaab9d7b9cab70990305541db276ab8d870e3fbc51a18
-
SHA512
245dd8d99f9aee193e4323b46cd88ee199b9629a6803f472ef783d63cdd865f3005c5fc69d397d5f3bfe8442be3a89af127a1076034e95f53148260fea641dcc
Behavioral task
behavioral1
Sample
Mr4X5srRQR20TfuVZShfsrAN.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
OEmxRS9UaiMPqIKXPz6Ef8jI.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
OvVYhhgvd6ZhUony5cRMqVoB.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
QKvpJeDIaPtXDcwKwH_WmAYY.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
QwnNK2SHckcc_GsoTwi8hDi5.exe.xml
Resource
win10v20210410
Behavioral task
behavioral6
Sample
QxZsdXOO8Xn2bW7iW8ff3gjN.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
QzUu4XgUxQuvhFNx7Nf5D6C3.exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
SHSPDO6BYDV7xlwsZDJxsLj9.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
SqCuVl85T1P8OuH3gpVMKnDi.exe
Resource
win10v20210410
Behavioral task
behavioral10
Sample
T8Ulrjj8F65YXJ2qZEm11v_x.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
Trj0QcTNVE3l8SBp_3LNLFS9.exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
Uwc7l02HzjEVLDdBFF3ZKItU.exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
VoTrXaqIJ3vc2GnUIU6Wi5LW.exe
Resource
win10v20210408
Behavioral task
behavioral14
Sample
Wp77te7DqjxTjTIGMDSB0RHr.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
XOCYAkm_NnnfPmgVDNgu9MQ3.exe
Resource
win10v20210410
Behavioral task
behavioral16
Sample
Xd_XnNqsZTJJf8dCq4s_mlAi.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
Xr9ca9oQNQWbUwEgChRmX6Z9.exe
Resource
win10v20210408
Behavioral task
behavioral18
Sample
XukfUfK8HAbjc5wMknHwOhFI.exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
YPTXDeqMC118ip3zHbyxwlns.exe
Resource
win10v20210410
Behavioral task
behavioral20
Sample
ma_5nZD3yos0uV8jzHnJSVxT.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
pnDF_dk604_fxVsUaLPL1Vfi.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
q_TzaanAkp60Doa2Vt025l91.exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
rgVakr0EruC2FtauFmrgXkxw.exe
Resource
win10v20210408
Behavioral task
behavioral24
Sample
t1fkwFYUEZVXvf_7oFFpVnr4.exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
tC6gdsFTgl9CBMrK_2QhZX3x.exe
Resource
win10v20210410
Behavioral task
behavioral26
Sample
tGeiUalbScQ8sPK2KKmKZNga.exe.xml
Resource
win10v20210410
Behavioral task
behavioral27
Sample
uMWmES83oduRUCtOU5jzfQkJ.exe
Resource
win10v20210410
Behavioral task
behavioral28
Sample
v5n1HuUxtaYNHT7sRlXCCwIu.exe
Resource
win10v20210408
Behavioral task
behavioral29
Sample
wTzxLyAQL7H5FI0GIaor5FbA.exe
Resource
win10v20210410
Behavioral task
behavioral30
Sample
xiGD01oEkhh5s50F0Mw8lPVJ.exe
Resource
win10v20210410
Behavioral task
behavioral31
Sample
yBqNUgvOW6iDky2dKdBCi5Fb.exe
Resource
win10v20210410
Malware Config
Extracted
redline
23.08
95.181.172.100:55640
Extracted
metasploit
windows/single_exec
Extracted
vidar
40.1
995
https://eduarroma.tumblr.com/
-
profile_id
995
Extracted
redline
dibild2
135.148.139.222:1494
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
raccoon
fd34ae8fb78d0554aa7caf12c271e01efb3342f6
-
url4cnc
https://telete.in/jinnlitena1
Extracted
redline
205.185.119.191:18846
Extracted
vidar
40.1
937
https://eduarroma.tumblr.com/
-
profile_id
937
Extracted
redline
TEST 22.08
94.103.83.88:65136
Extracted
redline
@Original_Finest
159.69.190.155:35975
Extracted
vidar
40.1
916
https://eduarroma.tumblr.com/
-
profile_id
916
Extracted
redline
allsup
188.124.36.242:25802
Targets
-
-
Target
Mr4X5srRQR20TfuVZShfsrAN.exe
-
Size
321KB
-
MD5
94c78c311f499024a9f97cfdbb073623
-
SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626
-
SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
-
SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
-
-
Target
OEmxRS9UaiMPqIKXPz6Ef8jI.exe
-
Size
589KB
-
MD5
34c76bcc1506b513c7a1ac605c045c4e
-
SHA1
271c6b3853e33e039242da7cf8f4465c48e90d2e
-
SHA256
1e7f2339065e8a6909eea27f090499a1af6427d1563ceac0cd25c916c637d29d
-
SHA512
cb2170b5fa492dcb7df54cfd7f4ad94214de98face0f1710cbad749c79bf322ea1106ace723520486bdeabdf0aa2eefbf70dcc060d61fcda1124298225c36865
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
OvVYhhgvd6ZhUony5cRMqVoB.exe
-
Size
2.4MB
-
MD5
b15db436045c3f484296acc6cff34a86
-
SHA1
346ae322b55e14611f10a64f336aaa9ff6fed68c
-
SHA256
dab2a18df66f2e74d0831a8b118de6b9df2642ac939cbad0552e30696d644193
-
SHA512
804bee37e0a6247ef2edb5dba8d4b6820ff10b0a4cb76e4c039a7242285836ed5255a1f297f8ba96168d9295558844a9fd7ec3a977207f339296a001543c1fd9
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
QKvpJeDIaPtXDcwKwH_WmAYY.exe
-
Size
2.4MB
-
MD5
a7feb91676ca65d3da71c8ff8798e2ec
-
SHA1
96b60cacea9e992ae9eef8e159d51e50bb0c7a79
-
SHA256
844c20ca22a32cb2b23ff601dd070dfc800240bbcb2cbd825f3d3b325ad18a5f
-
SHA512
d029d1e3746ae2c0dbf3351efbd744bdfef15fa9462de1cd35a4c5624d60365e5432e8ce7c49953b01df67f82525f35b79da371affc047e859ee61f60dbf9d75
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
QwnNK2SHckcc_GsoTwi8hDi5.exe
-
Size
223B
-
MD5
a6a676051f857d516f6c4bec595a7cfb
-
SHA1
10e7c48a109ffbe60fa7ab3585c4bd711942cbd2
-
SHA256
98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343
-
SHA512
df302b28e5897bac668ad1ae2b32d2424af7c8cdf4527ac54ea268e6e9fbf41efe28b236af25ceacb5e5acd95b6c99b8cf95fa735687358a265bd59e2b127ba6
Score1/10 -
-
-
Target
QxZsdXOO8Xn2bW7iW8ff3gjN.exe
-
Size
317KB
-
MD5
145bf5658332302310a7fe40ed77783d
-
SHA1
5370ac46379b8db9d9fca84f21d411687109486f
-
SHA256
bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3
-
SHA512
d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
-
-
Target
QzUu4XgUxQuvhFNx7Nf5D6C3.exe
-
Size
4.4MB
-
MD5
7627ef162e039104d830924c3dbdab77
-
SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b
-
SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
-
SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
SHSPDO6BYDV7xlwsZDJxsLj9.exe
-
Size
317KB
-
MD5
145bf5658332302310a7fe40ed77783d
-
SHA1
5370ac46379b8db9d9fca84f21d411687109486f
-
SHA256
bddcd5eba3036a21b11e6d6d3cbe84daf562db27814adf7e32b5cc103d3c25d3
-
SHA512
d3d9a8231f256efee7ce7ba6841d78c598dc912e7e5d503a9a094e6303d0f9f165a60c5370f353076b1f592d7d9ee6765d0ba4863a1c4935bb47e2ffa4ffb776
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
-
-
Target
SqCuVl85T1P8OuH3gpVMKnDi.exe
-
Size
599KB
-
MD5
85d019feb83854aa587fb13a34d1e2e7
-
SHA1
5af4a2e70f32dc2705d3517260341456249b96b7
-
SHA256
8acc169eac0f47377ad2a34a4fe277b73431f26cf3b262728bc1a8f17020c3e8
-
SHA512
aa0baabd8d2533464b1ce752f14adbaf93da91abad85a10bdbef4463f4c260f224deb37ac332221b9e7eee053f58eaca96fe44f679d8d8cbcfb75a04ffaa953d
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
T8Ulrjj8F65YXJ2qZEm11v_x.exe
-
Size
586KB
-
MD5
29903569f45cc9979551427cc5d9fd99
-
SHA1
0487682dd1300b26cea9275a405c8ad3383a1583
-
SHA256
eec05dc9ade2a7ee74ea5fb115bdd687b457d1f81841238a61e9775d6cc4bfa6
-
SHA512
f8f29c163bfabc90ade4981523feb943656cc20a562e5b4f6f2c6788f781408aec39114a129e765332aa0022d154d4516e9cb56bc01762b114833fddb30d23fb
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Trj0QcTNVE3l8SBp_3LNLFS9.exe
-
Size
4.4MB
-
MD5
7627ef162e039104d830924c3dbdab77
-
SHA1
e81996dc45106b349cb8c31eafbc2d353dc2f68b
-
SHA256
37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
-
SHA512
60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
Uwc7l02HzjEVLDdBFF3ZKItU.exe
-
Size
900KB
-
MD5
7714deedb24c3dcfa81dc660dd383492
-
SHA1
56fae3ab1186009430e175c73b914c77ed714cc0
-
SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c
-
SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
VoTrXaqIJ3vc2GnUIU6Wi5LW.exe
-
Size
321KB
-
MD5
94c78c311f499024a9f97cfdbb073623
-
SHA1
50e91d3eaa06d2183bf8c6c411947304421c5626
-
SHA256
6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
-
SHA512
29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
-
-
Target
Wp77te7DqjxTjTIGMDSB0RHr.exe
-
Size
2.4MB
-
MD5
161b975933aaae18920d241890000dac
-
SHA1
1cbbad54762c6301ad9ad2291159b9d2a141c143
-
SHA256
dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83
-
SHA512
758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
XOCYAkm_NnnfPmgVDNgu9MQ3.exe
-
Size
5.3MB
-
MD5
083da7bfea93dcaac5ca4c910c0c9636
-
SHA1
5d94f9e397441ee8bb733122f9dce827b80f7e96
-
SHA256
c06817143741717add66241dcd4f1b6ce497c6242d78793a69661b47a3796535
-
SHA512
067b5940f3c04bbe908e978b735818cc6e46f8a34a6dfffdf63eca062b855d19a83f12e351dcb5da81464981771bb2a717d39bed9abdd96087cf4cd2996b31b5
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Xd_XnNqsZTJJf8dCq4s_mlAi.exe
-
Size
273KB
-
MD5
ac7f28f999ef6657abc24673642b518a
-
SHA1
37c701301ba28e8329f7c990a790320d021331a0
-
SHA256
46d153d7d517ea834af83364c01388f5c4af458c359625244aa7bac158e8bff2
-
SHA512
d45fe4a99c81d2221ebb4b537a23ac2a64e05defb8c789eb8a716af30685d2ca5963e8caeadcaec74e5ea588311ea59509077f14870193408114b261e7b97370
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Xr9ca9oQNQWbUwEgChRmX6Z9.exe
-
Size
2.4MB
-
MD5
161b975933aaae18920d241890000dac
-
SHA1
1cbbad54762c6301ad9ad2291159b9d2a141c143
-
SHA256
dcdb0bc5e91652e7e3d2269581275c18d8c5eabbde14f9c17c99e5ff49e54a83
-
SHA512
758d1d206c887637d0727ba380d94d4cc1bb8a37cc705dbe62435a45c4ebb0ea111c9e9238261da64dd0d8ee5e27fd9851053dffa0359670a165973dd4f91443
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
XukfUfK8HAbjc5wMknHwOhFI.exe
-
Size
1.1MB
-
MD5
3b4348d187f24c82370836531f3fa94e
-
SHA1
a2ca4e9f4a8d9c8634e42765e90e252803e20b15
-
SHA256
cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7
-
SHA512
2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
YPTXDeqMC118ip3zHbyxwlns.exe
-
Size
1.1MB
-
MD5
3b4348d187f24c82370836531f3fa94e
-
SHA1
a2ca4e9f4a8d9c8634e42765e90e252803e20b15
-
SHA256
cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7
-
SHA512
2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
ma_5nZD3yos0uV8jzHnJSVxT.exe
-
Size
163KB
-
MD5
ec3921304077e2ac56d2f5060adab3d5
-
SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa
-
SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
-
SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
pnDF_dk604_fxVsUaLPL1Vfi.exe
-
Size
599KB
-
MD5
85d019feb83854aa587fb13a34d1e2e7
-
SHA1
5af4a2e70f32dc2705d3517260341456249b96b7
-
SHA256
8acc169eac0f47377ad2a34a4fe277b73431f26cf3b262728bc1a8f17020c3e8
-
SHA512
aa0baabd8d2533464b1ce752f14adbaf93da91abad85a10bdbef4463f4c260f224deb37ac332221b9e7eee053f58eaca96fe44f679d8d8cbcfb75a04ffaa953d
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
q_TzaanAkp60Doa2Vt025l91.exe
-
Size
2.5MB
-
MD5
f4f313d1f82fa87e710bd947a3667384
-
SHA1
6ac08dd818b3dac502041508399f8c6392668521
-
SHA256
492f4d8cae0b2cd6105f089b368d322bf6e388a803890f5196d5ccc4ac85bb04
-
SHA512
97e4af0f46fa9e9b3d5a916af3a50bb6c9ba4df8fd5d63c63764f2a421f0eb04b4d48df2293152dcbe6184ffeb8adb9552d250aaab0e2f95ffdea443a853b59a
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rgVakr0EruC2FtauFmrgXkxw.exe
-
Size
610KB
-
MD5
592404767648b0afc3cab6fade2fb7d2
-
SHA1
bab615526528b498a09d76decbf86691807e7822
-
SHA256
3593247c384586966e5a0e28eb4c4174b31e93c78c7a9e8fef96ec42a152e509
-
SHA512
83819e4956ac6da21c4927fa6edee2b178bc89bcda8fb5f4d0767d0d8310393f50f0f7e76e1a963002626a8176abfa8d864c9229a41e5b61e1a24a32d379dda9
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
t1fkwFYUEZVXvf_7oFFpVnr4.exe
-
Size
163KB
-
MD5
ec3921304077e2ac56d2f5060adab3d5
-
SHA1
923cf378ec34c6d660f88c7916c083bedb9378aa
-
SHA256
b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
-
SHA512
3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
tC6gdsFTgl9CBMrK_2QhZX3x.exe
-
Size
1.0MB
-
MD5
956c60ba7d7d44f04b4d9ae2db9f723e
-
SHA1
5b254193558cd413b015cd7efe7633e8712ffcb5
-
SHA256
318ca6786488302f65aa4989d7be9b8ae25225ceef57894ef47e485153742170
-
SHA512
e5b10f641a8544f873ae23c37e0a7d850a0e59b012f0bf01d0a75382e3728436ff2c0077b8a61c71008ec44739fadedc5bdd1f33d052acf589dd944918fa1945
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
tGeiUalbScQ8sPK2KKmKZNga.exe
-
Size
223B
-
MD5
a6a676051f857d516f6c4bec595a7cfb
-
SHA1
10e7c48a109ffbe60fa7ab3585c4bd711942cbd2
-
SHA256
98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343
-
SHA512
df302b28e5897bac668ad1ae2b32d2424af7c8cdf4527ac54ea268e6e9fbf41efe28b236af25ceacb5e5acd95b6c99b8cf95fa735687358a265bd59e2b127ba6
Score1/10 -
-
-
Target
uMWmES83oduRUCtOU5jzfQkJ.exe
-
Size
264KB
-
MD5
c7ccbd62c259a382501ff67408594011
-
SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
-
SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
-
SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
v5n1HuUxtaYNHT7sRlXCCwIu.exe
-
Size
927KB
-
MD5
0e86a231689637b656a0764f2017d22f
-
SHA1
70954ef5b83a7b0cd9dca4542d63bf3a7dc7ac97
-
SHA256
3da0e424a6f1268f5682d59be1f83572479c28ca1fb7dab48d0b53220acef66e
-
SHA512
21a3195665975ba3ec7b042a19b9ce39b5311e7c96070e7a968e7a1f39514a0df3569e39b313529dbb6b948195cd294077fd5b4e8a81e08a38b4ba2d8f6f6f32
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
wTzxLyAQL7H5FI0GIaor5FbA.exe
-
Size
900KB
-
MD5
7714deedb24c3dcfa81dc660dd383492
-
SHA1
56fae3ab1186009430e175c73b914c77ed714cc0
-
SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c
-
SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
xiGD01oEkhh5s50F0Mw8lPVJ.exe
-
Size
381KB
-
MD5
58f5dca577a49a38ea439b3dc7b5f8d6
-
SHA1
175dc7a597935b1afeb8705bd3d7a556649b06cf
-
SHA256
857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
-
SHA512
3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
yBqNUgvOW6iDky2dKdBCi5Fb.exe
-
Size
927KB
-
MD5
0e86a231689637b656a0764f2017d22f
-
SHA1
70954ef5b83a7b0cd9dca4542d63bf3a7dc7ac97
-
SHA256
3da0e424a6f1268f5682d59be1f83572479c28ca1fb7dab48d0b53220acef66e
-
SHA512
21a3195665975ba3ec7b042a19b9ce39b5311e7c96070e7a968e7a1f39514a0df3569e39b313529dbb6b948195cd294077fd5b4e8a81e08a38b4ba2d8f6f6f32
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
4Modify Existing Service
2New Service
1Defense Evasion
Virtualization/Sandbox Evasion
7Modify Registry
13Install Root Certificate
6Disabling Security Tools
1