glupteba

Target

setup_x86_x64_install.exe
Size

4.0MB
Sample

210922-mqyzssehck
MD5

73491325fde5366b31c09da701d07dd6
SHA1

a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
SHA256

56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA512

28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Malware Config

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

janesam

65.108.20.195:6774

Extracted

Family

redline

Botnet

UTS

45.9.20.20:13441

Extracted

Family

vidar

Version

40.7

Botnet

706

https://petrenko96.tumblr.com/

Attributes

profile_id
706

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\7zS26D7.tmp\__data__\config.txt

Family

ryuk

Ransom Note

Fqy��"zL�R�cD��|��F�Ƴ� �&s%��d�<9��3��/�O��^6��GG7�2_�+��4�S� ��ObrL�� .�b��r?-\t-��~�'��r7�J�U�6ʊ�im��Bw�Úe^3�*��)_w�y��I��3��$N4up2��+Z=ߩ�-?�f�T�hc��1/ʷ2�\!*͵No��4��D0~\T��"��c��85m�B��)��M)��`C��_=z,~Qj�߸�eG��9u)�:%�!�A4��ɱ�9�9m�� 0N�o��k/�'M��ք�K,�� :��]��t!_�Sݶ�4��F<�JY��z�w�[�4�� ,}��W��7�`��)G�)�� .1#AESK��Z�J�_&��T��du��=^��h%t��D�M˛�A��bN�3��&��K��hh��㱦;d4M��M��(Fb٫CF��I��<R��6�c1), ��p��!��v�??� ��r(8{6��=��H�K��I��! �E}�6Tp��*T8.]�i.(m��Y�-�D�Qˠ��.nݢ+�H��97�)��A(D`b�S��g��O5�7v�j��k��@��5��Ea�AF�@,��Z�n��B�Lk��w��:s4�6mO�}o��/rٮл��hTs�� 2��Ʌ�=�us*0��d��{��+q͚'P,|{��c�~�(O�#._Y�/J��9�΅6�J}bp��4��Ú@\�/�B��")>|�� \�4{1�g݁�/)�QUq��K;��b�Q*��;��.�2.X)* �W�3� ��l��h�^�a��!dO��,�L��{�q"c��s̔�|f��:��xD��v��? ��J�L)��r' �%��$��@��7�F��C;��?��_\��"w��P�ˁ9��K&�>��D��L��v(lns2m뎽��XQ��7,�1��0ŤpIy��o{?E�kXil�|��<5�4�Q酆/!�+�2N�ݘ� ��@´�b�%oLW��w�I��,�߮�\��&��\�� /��xy��ވ�Cߊ0�΍�y�lZ[�Ud�e��#��sDd��gW'��O�}�G�\Wa8��9%�Ӆaٿ��y:�ZP{ͦ�G.Bj��6�q ��niY/� �4�3��D�U�!�Q��<v��L��g�1^G�h �d��taqxo�%�u�3��!��z�qGf�Be?��9�y��W�c��n�j�1�+3�� aI7��pJ�q��f��[t�j�^fY��P&A~}�骰��D+F1 �Jsx\�[��6�*�L��K��Pw,,��sE|cT!��*F_�pBa\:$�y�E�`۱��:��<�7ơ�d�-��R�1Ͷl�uNۿ�D;/}ẻ�?��cO��ln�d��d�D��R�C�O'��<�H��DK��.��D �S�b-��H��`n��-��pL��W�Q��+�E��|��%�=��S8�$ZND�`��y�L��sbLv��_�ǻ`0}٫u<*xb�;@�7K}�t`�"�0[�/ǩI߆(��y�F�Hα��"�w��sVo��4�\�C�Ͷ�`k��J{��+=��=��A�f0�� ŵ��90��_��Ae�Bf&)��AJU��z�K��Qls��8�&(1�[�؎��,ZL��cפ��(KS$5l��1�2$-�^*��Ɯ�9�a�Y��D�4�Ũ��j/`qAz��׻爐�"j:TJ1��SəͲ��wB��sY�V�b qJ�OZG"�xe6��q �+$ ��mz��Xq9�܈-��}h2�vˍP��RQV%��+l�;�n��wM��5��cZ�V�ZT��YT.��*E>Kwk��ü~E]ª�xt�[oR�։�V��&��!�c�?�z� F{�(��Wɓ��T-�x>��t��[�zڳv�]��D��R7g�Q1[�f��ǿ�Wn��X��ϓ��/EۏU��[M��(�X]�<;bĖ#�`E�<p�^�/�V�z�|8�官p� �|�S��W��8�\ �'R�̗H[�HQ3�\��\�6��0_h�}0��H�*a͘�>tP��dr��7 d�_�`��H5�{��k�x*}+��5��L�� I�Ip��`�W�ߴ��K�B�+�5�a�I�}�AwMe��>C��i�^T��M�7x�Å$��A�D��\=�#��u��κ��2[��M�Pc��b��'�S��Pu/#BÙ�:7|h`��"�*R{:��F�NM�(M�ߴ�P�Y��ܪ��X�0��k��v=?�V(��x�@ ��ɿ��W�F%��gg��|B��=`��*.�ģ2HhO�b��oK&s��,��&�0�R��=�rKb��}!F�򫘅H�ӻBf��n7��$D��J�\s��?'BD�a+��Ҵ斬��oX82��?��+��es\>�"v/�T��VH��B��cؐ� �7n�; ��%��(��y+O��G��ȧ/�Yib�6f�M[�+vH>�[��د��o��'}N�ށF��->s��w{��X��(�l{W�|�KX#��Z5�+7K�#��,:V��I0Z�e��=!]��W�i��c��n��qA�ɱ(BvDܛ�S�Z�d� ^"|h��iB�.b<��g�ꢚU�]��a �+��C`�A�k%�`��Z��1)�Z�l�%�2�<�y��0�WP��A<nBz�謟0"v��Z_��e2ۨn�{�_��[ �i��2�D��(��L��)S��Ah_��J��:��ұ��|�B5şϽ��=��,O�W��EԂ _vSRfǲ�*�c��3m��#�刖��*,fCx/�0q��ͥ�(�� :^U�iwA j�o*�]��♋�Ep@��A[Bb�00��b"prY�dPK��7*��뺖��i�NؕP��Yv�=$�"�9t��RD�MuЊL8�TV��4�<5�A��ι��4��J�n�7N��6��*2Pۂʵ!�lh(߹ʳk�=�Cg-QMD�XND[�Ҿ�q��H�1K)V!L�u�;��A~�!֎k|[��N�/�F�~��0W{��a�=$��8�zj��U�(�Y)��8DW��t��)��Z��C��c֍�>;=�,s>��1��u��Y�F��D򱔿�HZ�,sïZE%H_|⸇��c)� h5qsR#2G��1�?��K��.��樝�q\��*��W�`�18o ��+l��]+bj��/��&��"T3��V��tܢV��i�_�F�H<��Z�{��,��;�ou0�۷��T��.�ϝ+��{�5t��F��H$�s�7RG�UVL��k$¸��p��I��*��*:ӦX��w��=$��5�)�z��j3�_A=IEmߖ�r��\��4��R�xh0��+;clǙ� L��k��VN��0�y-" 4��={/LP5bY\��no�,D�|1�:��K�K$��;`�XMK��|hR��S�*m�O{� ��+�÷�@�H�)�_�[��JU��|�ԋ��XҮ�ʋ ȯ�A��}�R�X��~N �E̱�� .G�i�E��+��Æ*c��7�6L��t�c�)�."h:z&n� W�-��=�n�Q��=��o��HLl�3��5~_��߈g��lQ[Vqٴ��U�6P��7�[J��KQ�$�v��n��U�If��v�(d^�8��e�F��u��_T�st��m@ՋyzB>�kqI�*)�֟LK:��<��K?��h�b0<��?H�_s�/��&�_4��=�� !�F��D��d��,5$?%�6O��g��@��ie��z�m��n��k�&��%P�kB��y�\1j�,aQ��5�<-�ٵ��Yz�jEz��伫/ki��(��}�8�C��X��$�0�-��3ey��r��qw��-�ӡ�yqN��|�H�&�$ʕ[8Hqfh��7��~�^��:Y;r�4C��e!$&�W��TN��L��7��{E�y�pqG��N^ �A+Ҳ&���\,��-z�Ay�mo��V��Zy��P,m8��e2��ڵT%DRk�,,k܁h��2񐀶W�Ce�HQw�V��J9S[�h�堪u#n��携��!nS��gw�ޭ-�^c�6=_��"+>B{�0D>�x�w�y��3P[�:0Zr~ ��\�c��c['��8:R��r;>I�Q=��Z旛~��{��7�âe�l�}��n?~�.A��&��b� (�:��W�z�G#"��h�؎u-�d�]�]t��<��"w��׭��}x�Dn� }�+�夁��N)��Q��w� ��:��vŦ%�,��!Z��j��p��U�e��#�DT�d�o�� C;F)+-�R�� nj�J@�{4]�q]��'c��_Tz��'{֯��Z%R�v2ġc*[꠷��O|7��cs,š&��]��d�E�BJQǢ��v�~~��p[��ڒ0 �Z��@��^yǷ��B�$o�J� ��ێ��(�O?��cP1x#^��B��s>�m��oJLr�af=��n�+��M��~�CW��E� %7��$#�6��uNF�'g (��q�8�bQ�zA��=;��2�g�vH��]�w�>��X7w%�?��zۑ��v��ۉ��6 �nlۑ�|V�h*DB��߁�NK:��Px��-{"�ǝC@p{P��0VU-��d�#TۣL[A�؎a��L��_�%Om ��,�0#Hx?�j��-xs��?cV��[9�`'��»Q P�k��2�܃EN ��gw� ��"}�[��)V�c��:�f��wE��-�a�O.��*w1��[ Q�z{�&��Ul_��h�$��Dڢ�c`�I";x��1@��;�C��@��$�D�ם{�� s��lpfї�� F�{i(��29o��Ż�n0��e�^ p��.��-[TdI Y� %� O6�[H��&�߭Y��!�)[��T.�$��_��m��ŵ�G(��<K'�ލ�}�t��w��ѥ*�E��{U3��?6-E� &\~q��*��!OïE0鲼G<@*�9��g�4�}\�_�W�)�3GYLo](��@��*J�� (�E��Ekx��bԵ��2UN��] l��p�ғUj��."��C��<-�6��Q�{4$�M��]��Q��f�� Y=�[�h]s�&�Sn��w��Vi�:q� ��I�䃪��g�j=_��bW�~/��FP��$�vPp��D>�ʎ �Bı��Ǒ_#�q$/��"1�[��=��^�F��*��T�K��5OӑSs �=��(��=�B�R�\r!�L��@ff�Fx��_��=k�lEXFoƴw$�1�xCڟdm�=�X�j�ge9H.<�no `��0L%��NߗA�&�F�{!�q[��|K�o��3��TM�C�(��I�L�.ˮ��b�t�~k�Að8p�N�m��I��ݣ��:��=��I��.�)�Ũч�]��ޖm��V��o��ȍ8�ȕ�P��1�`��ҬJ/��3hsJ��yV �� E��K��Uڢ��ۯ�o�V��<�A�1D�wA��`S��M�#�9Ұ?�9��F쩜�ѧ/�ȎzU��g{i�XQ��HV��"��]��J��1s�Esvk��J��R�b��*��n\��)�Ս�u�hɬ�S p��O�?H�*]h�{��uCjRC}>Ns��ɢ �@�m�uV��}��9�s+ͥQ�፦_?�-uj%Kc'��ʒ�^#�U,\�G�C�#F�0��豫�V��?#��^Z}e5��$��Z2�W�)O2A��[��=�x��w&�?�m�l��X�~Ƚ��.@-k�2�x��a�˼��Piǿ��3;��W��C� �5{@�l�;�^��p��--8u+/�_O��E��z�A��u��!��!��X�so;��3�ѝ��!�ۜyE��L��<�fG��Ϊ��-��U�UX*Wx�Ĥ. x�CF�d��Ȯ��UMYt�S�E.��&N��O1P,N�<��-=�)�)u ��[a�fKe�GJ��c��Ig<T�V��.��us��-��T��r ��ݼe��U��8S�再�N��,��`@�P�[��& �vܮ��I�o�N'�[&��h��h�.�bH�&K�Z xX�^��W�e�@S��>K�a͝kZp\O��c��MT��Ì�ͷ&f�q��>�,�ٯ�� X��Ȃ�T��2 VB��eQ_<�.rC@*#}@��Ɨ�y]��~�ry[>;��;C��n��z�M��R�q��gv��?��=t��Uy�P'*��v��N8չ1��\�k%�b�b��W��>7^��͢(3v��6Ce��0D]�E��u��\6:��'�䂒D�B��l`�\�yX)9��u��/�<��*��?��.{0kW*��g�rV��}c��_p��^��C��ʹӰR�)��E�� / ۽M�C�2�sn�l�%��A%h!�q&��ө�\� ��q�P�h��"�}T[�K��<�@�� 0B��x[~%S��B�!� �<V��G\��-�G��Şo��a�i��?#·��Y�T��B$�6�_�4�E��U+�U.gKU �t�i��R��kO�h�&sYn=�Ȓ�� iT]��;�.��e��8��~�m��+Qa:Hc&� q�~X_I�'I�K}��ݥؑ7^^�-�}��E5)� ��ݞ��wc�OꞵT�̉�"�ϱ��_��]ÂE��F�ci�ٰ�� Q��a��8�_�;��>a�}�a!; H��1Yd�b�%�:z�6��&ֵ?qΫ�h4W]Y��Ozr��u��u�,d�]�;�T�H�'o��y݊e%\Ij�'��m˺d�m�c�sj4h��c��G�k��2"']Q�b��@��F�C��o��qa��H�Dd�_>�\�ۨ��X��.�j6�wXUK��oz�.ѭ��S�pL��<��zpc��eԣP�m+r��w�G�țE C�!h��DDQ��Y ü<��YC��U8J��c�Y�9Ⱥ��CKm�� ,�*ź��؟6l�$��4��H�� J?��$Oȓ�' ��ΐT�7��G�xBugs��|�|i�1��+��*#B~�y��v'}�QP*o)͠��U��N[$7��8�TI��H�0W)H�s��5=tU6��f�sGoFL�h��\�A<��{��[�Z�b�1r~au��}d(}<&��@Ǳ�kk��y��K��e�1 �XUվ��$ν��N�4 ��8��Y�E_��q��ujY"�i�c��ѳ��7c��3�6� ��莦�uF��]J~j��m��i��ʝs��wڱK��Yʛ�1G��|��RY�˞}ӛ�D��F�Jr��F�O!�;�G�O|4�8~��dr��B_8œ��ǎIҜ:A9+8u��PnDL�}H�eiv!��u��5��%I�P5��N�3WC�^��v��4�@Hr�}ܰ��.#��D��>�kr�E��>]�|4�I�&�C� Ǥ5��`m��Q�+��ɦ�^��?�t�-�H��7?�H�~�~oΓ��H�9S��g~q�r��1٭� ׿�-�+��g�Gl��ܒ^�ɉ�� j]Pp�.Id��T�z�:$�W�WnV�S��W��X+�� ^�cG�e5z��l�6v��l$Z�t�ϫ�Q,��~3V��>�ަl�_��[t֕��C ��z�Iy�]��u�ڶ/X�W�]��oaNG �h�(��%Z$�jw��c?�v��8�!�GC%?Ru�_ �E08p�B�b/ğl2C��ԯ��o4N�{4��m��KJ��F�H~�@B��ެR�aL&��>:#��\�48��5��q/�9�n�B��Uv�0�Hvg��̟.�:۳�ڟU5%"��]��|m��t�=H{t|�{�R�'��"3˪��D`k6"��Ǡ�

Extracted

Family

redline

Botnet

REC

185.215.113.107:61144

Targets

- Target
  
  setup_x86_x64_install.exe
- Size
  
  4.0MB
- MD5
  
  73491325fde5366b31c09da701d07dd6
- SHA1
  
  a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
- SHA256
  
  56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
- SHA512
  
  28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Score

10^/10

redline smokeloader socelars janesam uts aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan glupteba metasploit vidar xmrig 706 bootkit dropper loader miner persistence themida oski ryuk zloader rec botnet ransomware
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
  suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
  suricata
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
  suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
  suricata
- suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
  suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
  suricata
- suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
  suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- XMRig Miner Payload
  miner
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

BITS Jobs

T1197

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Glupteba Payload

MetaSploit

Modifies Windows Defender Real-time Protection settings

Oski

Process spawned unexpected child process

RedLine

RedLine Payload

Ryuk

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Vidar

Zloader, Terdot, DELoader, ZeusSphinx

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity

suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2

xmrig

Checks for common network interception software

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

XMRig Miner Payload

ASPack v2.12-2.42

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks for any installed AV software in registry

Checks installed software on the system

Checks whether UAC is enabled

Drops Chrome extension

Drops desktop.ini file(s)

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7