General
-
Target
setup_installer.rar
-
Size
5.1MB
-
Sample
211027-r4madafbg6
-
MD5
e68e1f1dd52861b65b33805901eadb6d
-
SHA1
65279d96a0a6615743057403bffe381130d0a749
-
SHA256
6851b72e0bfaf608294bcac6ffef07e5e6591aee8b94ce9afad46b6e6cc32a59
-
SHA512
8552c053e6096067d279f289c0ff0da5b98dc6835b248f05357bba30db07dc863af17ad5a0135394744d20980a42baba40070cc2c48f4b5637bc143f692ddf79
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
chris
194.104.136.5:46013
Extracted
vidar
41.6
933
https://mas.to/@lilocc
-
profile_id
933
Extracted
redline
media26
91.121.67.60:23325
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Extracted
raccoon
8dec62c1db2959619dca43e02fa46ad7bd606400
-
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
Extracted
vidar
41.6
937
https://mas.to/@lilocc
-
profile_id
937
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
http://xacokuo8.top/
http://hajezey1.top/
Extracted
redline
dd3
91.206.14.151:16764
Extracted
redline
serman
135.181.129.119:4805
Targets
-
-
Target
setup_installer/Wed0901eb1dae126e32.exe
-
Size
401KB
-
MD5
199dd8b65aa03e11f7eb6346506d3fd2
-
SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea
-
SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
-
SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed094c47c32b.exe
-
Size
1.3MB
-
MD5
b5cfd3a9dc9e645e24c79991bca60460
-
SHA1
0d6bcdca2121d279bbe87c66cab515ac2478f555
-
SHA256
852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
-
SHA512
55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
setup_installer/Wed096a1bff61.exe
-
Size
8KB
-
MD5
c4d0ec0c74d01acc7135e8045630b182
-
SHA1
d954fa19b63df6062c013093ed22f8dc5218c48b
-
SHA256
8d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
-
SHA512
7cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Vidar Stealer
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed0971f17486f8.exe
-
Size
390KB
-
MD5
83be628244555ddba5d7ab7252a10898
-
SHA1
7a8f6875211737c844fdd14ba9999e9da672de20
-
SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
-
SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09977fdc12334.exe
-
Size
125KB
-
MD5
6843ec0e740bdad4d0ba1dbe6e3a1610
-
SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3
-
SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
-
SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09abf83d9c2.exe
-
Size
89KB
-
MD5
03137e005bdf813088f651d5b2b53e5d
-
SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258
-
SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
-
SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09b2a8bc4f16cb.exe
-
Size
321KB
-
MD5
94d45a7ff853b3c5d3d441cf87a71688
-
SHA1
3327a1929c68a160ef6287277d4cff5747d7bb91
-
SHA256
172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
-
SHA512
14d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself
-
-
-
Target
setup_installer/Wed09b3a5ca1a712d390.exe
-
Size
63KB
-
MD5
1c80f27a97ac4ce5c1c91705e0921e5a
-
SHA1
23b8834a95a978b881f67440ceef1046d3172dd1
-
SHA256
5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
-
SHA512
31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
setup_installer/Wed09c42cad92c20f79.exe
-
Size
421KB
-
MD5
48c91156511d520353b21c4df6253944
-
SHA1
a5fffe608205c897fea58541ae844d30a2fa4a0f
-
SHA256
bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
-
SHA512
fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
setup_installer/Wed09cfb2f9758281d8.exe
-
Size
362KB
-
MD5
dcf289d0f7a31fc3e6913d6713e2adc0
-
SHA1
44be915c2c70a387453224af85f20b1e129ed0f0
-
SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
-
SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
Score3/10 -
-
-
Target
setup_installer/Wed09d27135e5a8b3b.exe
-
Size
379KB
-
MD5
9b07fc470646ce890bcb860a5fb55f13
-
SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f
-
SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
-
SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
Score8/10-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
setup_installer/Wed09d8d6edfaff2ac.exe
-
Size
126KB
-
MD5
003a0cbabbb448d4bac487ad389f9119
-
SHA1
5e84f0b2823a84f86dd37181117652093b470893
-
SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
-
SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer/Wed09db0d52c38.exe
-
Size
1.4MB
-
MD5
5810fe95f7fb43baf96de0e35f814d6c
-
SHA1
696118263629f3cdf300934ebc3499d1c14e0233
-
SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
-
SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
Score10/10-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
setup_installer/Wed09e95ff6b5.exe
-
Size
846KB
-
MD5
c9e0bf7a99131848fc562b7b512359e1
-
SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578
-
SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
-
SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
setup_installer/Wed09f257bb7877d00b2.exe
-
Size
1.3MB
-
MD5
bdbbf4f034c9f43e4ab00002eb78b990
-
SHA1
99c655c40434d634691ea1d189b5883f34890179
-
SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
-
SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
Score7/10-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
setup_installer/libcurl.dll
-
Size
218KB
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
-
SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7
-
SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
-
SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
Score3/10 -
-
-
Target
setup_installer/libcurlpp.dll
-
Size
54KB
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
-
SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e
-
SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
-
SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
Score3/10 -
-
-
Target
setup_installer/libgcc_s_dw2-1.dll
-
Size
113KB
-
MD5
9aec524b616618b0d3d00b27b6f51da1
-
SHA1
64264300801a353db324d11738ffed876550e1d3
-
SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
-
SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
Score3/10 -
-
-
Target
setup_installer/libstdc++-6.dll
-
Size
647KB
-
MD5
5e279950775baae5fea04d2cc4526bcc
-
SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453
-
SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
-
SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
Score3/10 -
-
-
Target
setup_installer/libwinpthread-1.dll
-
Size
69KB
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
-
SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de
-
SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
-
SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
Score1/10 -
-
-
Target
setup_installer/setup_install.exe
-
Size
2.1MB
-
MD5
5e712252b7a8e717ce0af8d60a9bd01f
-
SHA1
71dcbb03ad699bc8248f8e07b352cd42f1e53fcd
-
SHA256
eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
-
SHA512
7d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
6Scheduled Task
4Modify Existing Service
3Defense Evasion
Modify Registry
17Install Root Certificate
5Disabling Security Tools
3Virtualization/Sandbox Evasion
3File Permissions Modification
2