General
Target

setup_installer.rar

Size

5MB

Sample

211027-r4madafbg6

Score
10/10
MD5

e68e1f1dd52861b65b33805901eadb6d

SHA1

65279d96a0a6615743057403bffe381130d0a749

SHA256

6851b72e0bfaf608294bcac6ffef07e5e6591aee8b94ce9afad46b6e6cc32a59

SHA512

8552c053e6096067d279f289c0ff0da5b98dc6835b248f05357bba30db07dc863af17ad5a0135394744d20980a42baba40070cc2c48f4b5637bc143f692ddf79

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

chris

C2

194.104.136.5:46013

Extracted

Family

vidar

Version

41.6

Botnet

933

C2

https://mas.to/@lilocc

Attributes
profile_id
933

Extracted

Family

redline

Botnet

media26

C2

91.121.67.60:23325

Extracted

Family

xloader

Version

2.5

Campaign

s0iw

C2

http://www.kyiejenner.com/s0iw/

Decoy

ortopediamodelo.com

orimshirts.store

universecatholicweekly.info

yvettechan.com

sersaudavelsempre.online

face-booking.net

europeanretailgroup.com

umofan.com

roemahbajumuslim.online

joyrosecuisine.net

3dmaker.house

megdb.xyz

stereoshopie.info

gv5rm.com

tdc-trust.com

mcglobal.club

choral.works

onlineconsultantgroup.com

friscopaintandbody.com

midwestii.com

weespiel.com

babyshell.be

gwynora.com

talkthered.com

f-punk.com

frankmatlock.com

clique-solicite.net

clientloyaltysystem.com

worldbyduco.com

kampfsport-erfurt.com

adndpanel.xyz

rocknfamily.net

ambr-creative.com

wwwks8829.com

thuexegiarehcmgoviet.com

brentmurrell.art

wolf-yachts.com

tenpobiz.com

binnamall.com

crestamarti.quest

terry-hitchcock.com

ocreverseteam.com

taxwarehouse2.xyz

megawholesalesystem.com

epstein-advisory.com

enewlaunches.com

iphone13.community

pianostands.com

newspaper.clinic

alamdave.com

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.6

Botnet

937

C2

https://mas.to/@lilocc

Attributes
profile_id
937

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

dd3

C2

91.206.14.151:16764

Extracted

Family

redline

Botnet

serman

C2

135.181.129.119:4805

Targets
Target

setup_installer/Wed0901eb1dae126e32.exe

MD5

199dd8b65aa03e11f7eb6346506d3fd2

Filesize

401KB

Score
10/10
SHA1

a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256

6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512

0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

setup_installer/Wed094c47c32b.exe

MD5

b5cfd3a9dc9e645e24c79991bca60460

Filesize

1MB

Score
8/10
SHA1

0d6bcdca2121d279bbe87c66cab515ac2478f555

SHA256

852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

SHA512

55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

Signatures

  • Executes dropped EXE

  • Loads dropped DLL

Related Tasks

Target

setup_installer/Wed096a1bff61.exe

MD5

c4d0ec0c74d01acc7135e8045630b182

Filesize

8KB

Score
10/10
SHA1

d954fa19b63df6062c013093ed22f8dc5218c48b

SHA256

8d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2

SHA512

7cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • Vidar Stealer

    Tags

  • XMRig Miner Payload

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

Target

setup_installer/Wed0971f17486f8.exe

MD5

83be628244555ddba5d7ab7252a10898

Filesize

390KB

Score
10/10
SHA1

7a8f6875211737c844fdd14ba9999e9da672de20

SHA256

e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512

0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

setup_installer/Wed09977fdc12334.exe

MD5

6843ec0e740bdad4d0ba1dbe6e3a1610

Filesize

125KB

Score
10/10
SHA1

9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256

4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512

112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Checks for common network interception software

    Description

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    Tags

    TTPs

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • Xloader Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

Target

setup_installer/Wed09abf83d9c2.exe

MD5

03137e005bdf813088f651d5b2b53e5d

Filesize

89KB

Score
10/10
SHA1

0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256

258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512

23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

Target

setup_installer/Wed09b2a8bc4f16cb.exe

MD5

94d45a7ff853b3c5d3d441cf87a71688

Filesize

321KB

Score
10/10
SHA1

3327a1929c68a160ef6287277d4cff5747d7bb91

SHA256

172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476

SHA512

14d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f

Tags

Signatures

Related Tasks

Target

setup_installer/Wed09b3a5ca1a712d390.exe

MD5

1c80f27a97ac4ce5c1c91705e0921e5a

Filesize

63KB

Score
10/10
SHA1

23b8834a95a978b881f67440ceef1046d3172dd1

SHA256

5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1

SHA512

31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

Related Tasks

Target

setup_installer/Wed09c42cad92c20f79.exe

MD5

48c91156511d520353b21c4df6253944

Filesize

421KB

Score
6/10
SHA1

a5fffe608205c897fea58541ae844d30a2fa4a0f

SHA256

bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92

SHA512

fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa

Signatures

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

Target

setup_installer/Wed09cfb2f9758281d8.exe

MD5

dcf289d0f7a31fc3e6913d6713e2adc0

Filesize

362KB

Score
3/10
SHA1

44be915c2c70a387453224af85f20b1e129ed0f0

SHA256

06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512

7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Related Tasks

Target

setup_installer/Wed09d27135e5a8b3b.exe

MD5

9b07fc470646ce890bcb860a5fb55f13

Filesize

379KB

Score
8/10
SHA1

ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256

506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512

4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Tags

Signatures

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

Related Tasks

Target

setup_installer/Wed09d8d6edfaff2ac.exe

MD5

003a0cbabbb448d4bac487ad389f9119

Filesize

126KB

Score
10/10
SHA1

5e84f0b2823a84f86dd37181117652093b470893

SHA256

5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512

53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Tags

Signatures

  • Amadey

    Description

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    Tags

  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Checks for common network interception software

    Description

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    Tags

    TTPs

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Vidar Stealer

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Tries to connect to .bazar domain

    Description

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

Target

setup_installer/Wed09db0d52c38.exe

MD5

5810fe95f7fb43baf96de0e35f814d6c

Filesize

1MB

Score
10/10
SHA1

696118263629f3cdf300934ebc3499d1c14e0233

SHA256

45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512

832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Tags

Signatures

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

Related Tasks

Target

setup_installer/Wed09e95ff6b5.exe

MD5

c9e0bf7a99131848fc562b7b512359e1

Filesize

846KB

Score
10/10
SHA1

add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256

45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512

87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

Target

setup_installer/Wed09f257bb7877d00b2.exe

MD5

bdbbf4f034c9f43e4ab00002eb78b990

Filesize

1MB

Score
7/10
SHA1

99c655c40434d634691ea1d189b5883f34890179

SHA256

2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512

dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Tags

Signatures

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

Target

setup_installer/libcurl.dll

MD5

d09be1f47fd6b827c81a4812b4f7296f

Filesize

218KB

Score
3/10
SHA1

028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256

0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512

857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Related Tasks

Target

setup_installer/libcurlpp.dll

MD5

e6e578373c2e416289a8da55f1dc5e8e

Filesize

54KB

Score
3/10
SHA1

b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256

43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512

9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Related Tasks

Target

setup_installer/libgcc_s_dw2-1.dll

MD5

9aec524b616618b0d3d00b27b6f51da1

Filesize

113KB

Score
3/10
SHA1

64264300801a353db324d11738ffed876550e1d3

SHA256

59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512

0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Related Tasks

Target

setup_installer/libstdc++-6.dll

MD5

5e279950775baae5fea04d2cc4526bcc

Filesize

647KB

Score
3/10
SHA1

8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256

97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512

666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Related Tasks

Target

setup_installer/libwinpthread-1.dll

MD5

1e0d62c34ff2e649ebc5c372065732ee

Filesize

69KB

Score
1/10
SHA1

fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256

509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512

3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Related Tasks

Target

setup_installer/setup_install.exe

MD5

5e712252b7a8e717ce0af8d60a9bd01f

Filesize

2MB

Score
10/10
SHA1

71dcbb03ad699bc8248f8e07b352cd42f1e53fcd

SHA256

eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114

SHA512

7d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d

Tags

Signatures

  • Amadey

    Description

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    Tags

  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Tries to connect to .bazar domain

    Description

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks