Overview
overview
10Static
static
10Fri191454c4b4.exe
windows7_x64
8Fri191454c4b4.exe
windows10_x64
8Fri1921f7a9d3.exe
windows7_x64
10Fri1921f7a9d3.exe
windows10_x64
10Fri192902b3c24.exe
windows7_x64
10Fri192902b3c24.exe
windows10_x64
10Fri192b9eeaa03b.exe
windows7_x64
10Fri192b9eeaa03b.exe
windows10_x64
10Fri192c305b4a.exe
windows7_x64
10Fri192c305b4a.exe
windows10_x64
10Fri192f077...dd.exe
windows7_x64
10Fri192f077...dd.exe
windows10_x64
10Fri195cd4d...97.exe
windows7_x64
10Fri195cd4d...97.exe
windows10_x64
10Fri19870e2...44.exe
windows7_x64
10Fri19870e2...44.exe
windows10_x64
10Fri19927b4...d1.exe
windows7_x64
10Fri19927b4...d1.exe
windows10_x64
10Fri19ca03f05489b.exe
windows7_x64
6Fri19ca03f05489b.exe
windows10_x64
6Fri19d30056588.exe
windows7_x64
10Fri19d30056588.exe
windows10_x64
10libcurl.dll
windows7_x64
3libcurl.dll
windows10_x64
3libcurlpp.dll
windows7_x64
libcurlpp.dll
windows10_x64
3libgcc_s_dw2-1.dll
windows7_x64
libgcc_s_dw2-1.dll
windows10_x64
3libstdc++-6.dll
windows7_x64
3libstdc++-6.dll
windows10_x64
3libwinpthread-1.dll
windows7_x64
1libwinpthread-1.dll
windows10_x64
1General
-
Target
7zS4B82526C.rar
-
Size
4.4MB
-
Sample
210910-1bt9ysdgcm
-
MD5
88d0a356fa2cd6608e22f48d2865dc7a
-
SHA1
4f9f3b8122c23c80d055a89208e2596b75714694
-
SHA256
8050946d45275d1d9a207b61e1e7c69f906193fe120b111497bb15960f9ca379
-
SHA512
53700f70b5e983d195d3fab717b7828b3919c9a75102ebc1c958617dddf31ae6135da91580c4088b2018ff5e1bd3c4b0d9b8bbe305c0c876c191d49fdacbc0f4
Behavioral task
behavioral1
Sample
Fri191454c4b4.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Fri191454c4b4.exe
Resource
win10-en
Behavioral task
behavioral3
Sample
Fri1921f7a9d3.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Fri1921f7a9d3.exe
Resource
win10-en
Behavioral task
behavioral5
Sample
Fri192902b3c24.exe
Resource
win7-en
Behavioral task
behavioral6
Sample
Fri192902b3c24.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
Fri192b9eeaa03b.exe
Resource
win7-en
Behavioral task
behavioral8
Sample
Fri192b9eeaa03b.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
Fri192c305b4a.exe
Resource
win7-en
Behavioral task
behavioral10
Sample
Fri192c305b4a.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
Fri192f077acf656dd.exe
Resource
win7-en
Behavioral task
behavioral12
Sample
Fri192f077acf656dd.exe
Resource
win10-en
Behavioral task
behavioral13
Sample
Fri195cd4dbfdf37897.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
Fri195cd4dbfdf37897.exe
Resource
win10-en
Behavioral task
behavioral15
Sample
Fri19870e2febf5544.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
Fri19870e2febf5544.exe
Resource
win10-en
Behavioral task
behavioral17
Sample
Fri19927b4fe38a9d1.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
Fri19927b4fe38a9d1.exe
Resource
win10-en
Behavioral task
behavioral19
Sample
Fri19ca03f05489b.exe
Resource
win7-en
Behavioral task
behavioral20
Sample
Fri19ca03f05489b.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
Fri19d30056588.exe
Resource
win7-en
Behavioral task
behavioral22
Sample
Fri19d30056588.exe
Resource
win10v20210408
Behavioral task
behavioral23
Sample
libcurl.dll
Resource
win7-en
Behavioral task
behavioral24
Sample
libcurl.dll
Resource
win10v20210408
Behavioral task
behavioral25
Sample
libcurlpp.dll
Resource
win7-en
Behavioral task
behavioral26
Sample
libcurlpp.dll
Resource
win10v20210408
Behavioral task
behavioral27
Sample
libgcc_s_dw2-1.dll
Resource
win7-en
Behavioral task
behavioral28
Sample
libgcc_s_dw2-1.dll
Resource
win10-en
Behavioral task
behavioral29
Sample
libstdc++-6.dll
Resource
win7v20210408
Behavioral task
behavioral30
Sample
libstdc++-6.dll
Resource
win10-en
Behavioral task
behavioral31
Sample
libwinpthread-1.dll
Resource
win7v20210408
Behavioral task
behavioral32
Sample
libwinpthread-1.dll
Resource
win10-en
Malware Config
Extracted
vidar
40.5
706
https://gheorghip.tumblr.com/
-
profile_id
706
Extracted
redline
jane06
94.103.94.214:29899
Extracted
metasploit
windows/single_exec
Extracted
redline
zzzzz
146.70.35.170:30905
Extracted
redline
Test
18.118.84.99:1050
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
redline
185.215.113.29:8678
Extracted
vidar
40.5
517
https://gheorghip.tumblr.com/
-
profile_id
517
Extracted
redline
pab123
45.14.49.169:22411
Targets
-
-
Target
Fri191454c4b4.exe
-
Size
151KB
-
MD5
7c8489d12be3a8b7c8d0a1cec55e2c34
-
SHA1
01d47c6e6809392ee6c85f3204d43b4dc5e83544
-
SHA256
6e5c3d18da03948721f6a66c441990b099f5f9abec0ab8a0ebe7aa9b83fad784
-
SHA512
83381a04e2ed42f0098f4d37592811aea0ad37e6fb0d6a5b8ba05563bf51ac229f5626fdc9a63ef3edbd1ef9d30948c8227a139c2abeabf11cdbced01cfc2f64
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Fri1921f7a9d3.exe
-
Size
99KB
-
MD5
a1c7ed2563212e0aba70af8a654962fd
-
SHA1
987e944110921327adaba51d557dbf20dee886d5
-
SHA256
a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
-
SHA512
60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
Fri192902b3c24.exe
-
Size
607KB
-
MD5
a0105d243e43fe20fcfebfbe7530aaf2
-
SHA1
bfc1be1630bd4177d19c76714c95f48d8ba33c14
-
SHA256
496f67cf5c0907c1799fe892f3ce8c406c9b47256b8bc3d4c68032b4b9f99ea1
-
SHA512
800a968962eec1c17694bbb59ba3faf03c8e5a35a685d3282840c6a9914c71604243eb09ba49ee2b93d60b970ee6797ee5ffcdecbe84bfce59e251517cbad554
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Fri192b9eeaa03b.exe
-
Size
739KB
-
MD5
b160ce13f27f1e016b7bfc7a015f686b
-
SHA1
bfb714891d12ffd43875e72908d8b9f4f576ad6e
-
SHA256
fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
-
SHA512
9578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
Fri192c305b4a.exe
-
Size
1.5MB
-
MD5
b9d6fa9af107c8f185fa981e9365a3ec
-
SHA1
77b4459537959d478a4dc9ba64c80d44a278f679
-
SHA256
37b758e9d8ac0212bde2acff6c6a1d53f0bfcc202f2d129a7ee4e0a4dcac3770
-
SHA512
a9c631b58686dd0b86c95046709d667fae31dddd7a74b62235840d67d2aa4b2ce1cdc235f87d151c880137ee7d69cb934dc6239aada7de9b532b331b9e54b090
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Fri192f077acf656dd.exe
-
Size
116KB
-
MD5
f43d41f88c343d2d97c010ec7269320d
-
SHA1
93d2e9e30cc7db5615bb113293ce2b24b848368a
-
SHA256
30d2e1ce1f57936fae0b6c7f70917e5b352dc8a891b3d012f762f79d2c46ccc1
-
SHA512
61282378378304381502cf3e6dd2d88e20345d1a62286893eae7d3101016f71823c341ad0c18865dce6c3a8e98f26e6657cdf65a30cfac171ca9cd04aac45db6
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
Fri195cd4dbfdf37897.exe
-
Size
381KB
-
MD5
45d1381f848b167ba1bca659f0f36556
-
SHA1
bb282731c8f1794a5134a97c91312b98edde72d6
-
SHA256
8a1b542e56cf75216fcd1d1dd4bf379b8b4e7a473785013d5fbf6ce02dbdcf28
-
SHA512
a7171f37ae4612cda2c66fece92deea537942697b4580f938cdd9d07d445d89bac193e934569141fe064355b2a5e675aaa5c348298d96ff1e13dbe01732eeb0f
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
Fri19870e2febf5544.exe
-
Size
152KB
-
MD5
29bfd17aa35ed0486dfb5ae655514a66
-
SHA1
f3d8abf6736e0c79a09e2969b78cd3fcd2dfc96f
-
SHA256
940fcd65f551869d96be42d253572e657f5493de4454229a6430814abb862e49
-
SHA512
90f8756378196095ac5405d5055a3041b7e5bba033a83d614a7a3b5fc70872311169cd434b8576137bc7c8edc56b2b0c6b3b7d97bcc527d0dcde91e25a4e85cd
-
Detected Djvu ransomware
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Fri19927b4fe38a9d1.exe
-
Size
390KB
-
MD5
17453605e54baa73884d6dce7d57d439
-
SHA1
0153451591fb1b7a5dadaf8206265c094b9f15ad
-
SHA256
065d26691736150f3643cb4bd06e991f62160406936d9053a82af11b8d0272ff
-
SHA512
8e0472691fdbd700fbc28ed4e66cdd11696df1fb70d22a35876c936484fe99acc8038683f938047493b71603012aebdd0b4fbb192e57d66d6b0e873a8d727de3
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Fri19ca03f05489b.exe
-
Size
1.3MB
-
MD5
5af7bc821a1501b38c4b153fa0f5dade
-
SHA1
467635cce64ae4e3ce41d1819d2ec6abdf5414f3
-
SHA256
773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
-
SHA512
53fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Fri19d30056588.exe
-
Size
1.4MB
-
MD5
bfcb99934c643d282480424e4468c558
-
SHA1
5e704e74198d386541a3bb466dcf4fa242121f68
-
SHA256
2c85f8e0a0f729c6b91b33c84d541467b1dc4c0f2abb380642c217d0c2518984
-
SHA512
c10de1b2f337af91be67c95fac43a08fe90214e2c59ecd87c22af788b8c93f3c56f0ceb888afd67681f951abdddfc28121737c9cbccdeca45e660a8574eb74e1
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
libcurl.dll
-
Size
218KB
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
-
SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7
-
SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
-
SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
Score3/10 -
-
-
Target
libcurlpp.dll
-
Size
54KB
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
-
SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e
-
SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
-
SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
Score3/10 -
-
-
Target
libgcc_s_dw2-1.dll
-
Size
113KB
-
MD5
9aec524b616618b0d3d00b27b6f51da1
-
SHA1
64264300801a353db324d11738ffed876550e1d3
-
SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
-
SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
Score3/10 -
-
-
Target
libstdc++-6.dll
-
Size
647KB
-
MD5
5e279950775baae5fea04d2cc4526bcc
-
SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453
-
SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
-
SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
Score3/10 -
-
-
Target
libwinpthread-1.dll
-
Size
69KB
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
-
SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de
-
SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
-
SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
14Install Root Certificate
7Virtualization/Sandbox Evasion
1File Permissions Modification
1