Overview

overview

10

Static

static

10

setup_installe...32.exe

windows7_x64

10

setup_installe...32.exe

windows10_x64

10

setup_installe...2b.exe

windows7_x64

8

setup_installe...2b.exe

windows10_x64

8

setup_installe...61.exe

windows7_x64

10

setup_installe...61.exe

windows10_x64

10

setup_installe...f8.exe

windows7_x64

10

setup_installe...f8.exe

windows10_x64

10

setup_installe...34.exe

windows7_x64

10

setup_installe...34.exe

windows10_x64

10

setup_installe...c2.exe

windows7_x64

3

setup_installe...c2.exe

windows10_x64

10

setup_installe...cb.exe

windows7_x64

10

setup_installe...cb.exe

windows10_x64

10

setup_installe...90.exe

windows7_x64

10

setup_installe...90.exe

windows10_x64

10

setup_installe...79.exe

windows7_x64

6

setup_installe...79.exe

windows10_x64

6

setup_installe...d8.exe

windows7_x64

7

setup_installe...d8.exe

windows10_x64

3

setup_installe...3b.exe

windows7_x64

8

setup_installe...3b.exe

windows10_x64

8

setup_installe...ac.exe

windows7_x64

10

setup_installe...ac.exe

windows10_x64

10

setup_installe...38.exe

windows7_x64

10

setup_installe...38.exe

windows10_x64

10

setup_installe...b5.exe

windows7_x64

10

setup_installe...b5.exe

windows10_x64

10

setup_installe...b2.exe

windows7_x64

7

setup_installe...b2.exe

windows10_x64

7

setup_installe...rl.dll

windows7_x64

3

setup_installe...rl.dll

windows10_x64

3
General
Target

setup_installer.rar

Size

5MB

Sample

211027-rs7f6sfah4

Score
10/10
MD5

e68e1f1dd52861b65b33805901eadb6d

SHA1

65279d96a0a6615743057403bffe381130d0a749

SHA256

6851b72e0bfaf608294bcac6ffef07e5e6591aee8b94ce9afad46b6e6cc32a59

SHA512

8552c053e6096067d279f289c0ff0da5b98dc6835b248f05357bba30db07dc863af17ad5a0135394744d20980a42baba40070cc2c48f4b5637bc143f692ddf79

Malware Config

Extracted

Family

redline
Botnet

chris
C2

194.104.136.5:46013

Extracted

Family

vidar
Version

41.6
Botnet

933
C2

https://mas.to/@lilocc
Attributes
profile_id
933

Extracted

Family

redline
Botnet

build999
C2

109.107.191.123:52781

Extracted

Family

redline
Botnet

media26
C2

91.121.67.60:23325

Extracted

Family

xloader
Version

2.5
Campaign

s0iw
C2

http://www.kyiejenner.com/s0iw/
Decoy

ortopediamodelo.com

orimshirts.store

universecatholicweekly.info

yvettechan.com

sersaudavelsempre.online

face-booking.net

europeanretailgroup.com

umofan.com

roemahbajumuslim.online

joyrosecuisine.net

3dmaker.house

megdb.xyz

stereoshopie.info

gv5rm.com

tdc-trust.com

mcglobal.club

choral.works

onlineconsultantgroup.com

friscopaintandbody.com

midwestii.com

weespiel.com

babyshell.be

gwynora.com

talkthered.com

f-punk.com

frankmatlock.com

clique-solicite.net

clientloyaltysystem.com

worldbyduco.com

kampfsport-erfurt.com

adndpanel.xyz

rocknfamily.net

ambr-creative.com

wwwks8829.com

thuexegiarehcmgoviet.com

brentmurrell.art

wolf-yachts.com

tenpobiz.com

binnamall.com

crestamarti.quest

terry-hitchcock.com

ocreverseteam.com

taxwarehouse2.xyz

megawholesalesystem.com

epstein-advisory.com

enewlaunches.com

iphone13.community

pianostands.com

newspaper.clinic

alamdave.com

Extracted

Family

raccoon
Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400
Attributes
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
rc4.plain
rc4.plain

Extracted

Family

vidar
Version

41.6
Botnet

937
C2

https://mas.to/@lilocc
Attributes
profile_id
937

Extracted

Family

smokeloader
Version

2020
C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

http://xacokuo8.top/

http://hajezey1.top/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline
Botnet

dd3
C2

91.206.14.151:16764

Extracted

Family

redline
Botnet

serman
C2

135.181.129.119:4805
Targets
Target

setup_installer/Wed0901eb1dae126e32.exe

MD5

199dd8b65aa03e11f7eb6346506d3fd2

Filesize

401KB

Score
10/10
SHA1

a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256

6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512

0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
Target

setup_installer/Wed094c47c32b.exe

MD5

b5cfd3a9dc9e645e24c79991bca60460

Filesize

1MB

Score
8/10
SHA1

0d6bcdca2121d279bbe87c66cab515ac2478f555

SHA256

852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

SHA512

55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

Signatures

  • Executes dropped EXE

  • Loads dropped DLL

Related Tasks

behavioral3behavioral4
Target

setup_installer/Wed096a1bff61.exe

MD5

c4d0ec0c74d01acc7135e8045630b182

Filesize

8KB

Score
10/10
SHA1

d954fa19b63df6062c013093ed22f8dc5218c48b

SHA256

8d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2

SHA512

7cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Vidar Stealer

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

behavioral5behavioral6
Target

setup_installer/Wed0971f17486f8.exe

MD5

83be628244555ddba5d7ab7252a10898

Filesize

390KB

Score
10/10
SHA1

7a8f6875211737c844fdd14ba9999e9da672de20

SHA256

e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512

0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Suspicious use of SetThreadContext

Related Tasks

behavioral7behavioral8
Target

setup_installer/Wed09977fdc12334.exe

MD5

6843ec0e740bdad4d0ba1dbe6e3a1610

Filesize

125KB

Score
10/10
SHA1

9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256

4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512

112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Tags

Signatures

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion

  • Vidar Stealer

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral9behavioral10
Target

setup_installer/Wed09abf83d9c2.exe

MD5

03137e005bdf813088f651d5b2b53e5d

Filesize

89KB

Score
10/10
SHA1

0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256

258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512

23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

behavioral11behavioral12
Target

setup_installer/Wed09b2a8bc4f16cb.exe

MD5

94d45a7ff853b3c5d3d441cf87a71688

Filesize

321KB

Score
10/10
SHA1

3327a1929c68a160ef6287277d4cff5747d7bb91

SHA256

172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476

SHA512

14d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Executes dropped EXE

  • Deletes itself

Related Tasks

behavioral13behavioral14
Target

setup_installer/Wed09b3a5ca1a712d390.exe

MD5

1c80f27a97ac4ce5c1c91705e0921e5a

Filesize

63KB

Score
10/10
SHA1

23b8834a95a978b881f67440ceef1046d3172dd1

SHA256

5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1

SHA512

31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

Related Tasks

behavioral15behavioral16
Target

setup_installer/Wed09c42cad92c20f79.exe

MD5

48c91156511d520353b21c4df6253944

Filesize

421KB

Score
6/10
SHA1

a5fffe608205c897fea58541ae844d30a2fa4a0f

SHA256

bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92

SHA512

fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa

Signatures

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

behavioral17behavioral18
Target

setup_installer/Wed09cfb2f9758281d8.exe

MD5

dcf289d0f7a31fc3e6913d6713e2adc0

Filesize

362KB

Score
7/10
SHA1

44be915c2c70a387453224af85f20b1e129ed0f0

SHA256

06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512

7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Signatures

  • Deletes itself

Related Tasks

behavioral19behavioral20
Target

setup_installer/Wed09d27135e5a8b3b.exe

MD5

9b07fc470646ce890bcb860a5fb55f13

Filesize

379KB

Score
8/10
SHA1

ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256

506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512

4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Tags

Signatures

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

Related Tasks

behavioral21behavioral22
Target

setup_installer/Wed09d8d6edfaff2ac.exe

MD5

003a0cbabbb448d4bac487ad389f9119

Filesize

126KB

Score
10/10
SHA1

5e84f0b2823a84f86dd37181117652093b470893

SHA256

5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512

53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Tags

Signatures

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion

  • Vidar Stealer

    Tags

  • Xloader Payload

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

behavioral23behavioral24
Target

setup_installer/Wed09db0d52c38.exe

MD5

5810fe95f7fb43baf96de0e35f814d6c

Filesize

1MB

Score
10/10
SHA1

696118263629f3cdf300934ebc3499d1c14e0233

SHA256

45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512

832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Tags

Signatures

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

Related Tasks

behavioral25behavioral26
Target

setup_installer/Wed09e95ff6b5.exe

MD5

c9e0bf7a99131848fc562b7b512359e1

Filesize

846KB

Score
10/10
SHA1

add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256

45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512

87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Tags

Signatures

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Loads dropped DLL

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

  • Suspicious use of SetThreadContext

  • autoit_exe

    Description

    AutoIT scripts compiled to PE executables.

Related Tasks

behavioral27behavioral28
Target

setup_installer/Wed09f257bb7877d00b2.exe

MD5

bdbbf4f034c9f43e4ab00002eb78b990

Filesize

1MB

Score
7/10
SHA1

99c655c40434d634691ea1d189b5883f34890179

SHA256

2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512

dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Tags

Signatures

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

behavioral29behavioral30
Target

setup_installer/libcurl.dll

MD5

d09be1f47fd6b827c81a4812b4f7296f

Filesize

218KB

Score
3/10
SHA1

028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256

0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512

857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Related Tasks

behavioral31behavioral32
Tasks

static1

Score
10/10

behavioral1

Score
10/10

behavioral2

Score
10/10

behavioral3

Score
8/10

behavioral4

Score
8/10

behavioral5

Score
10/10

behavioral6

Score
10/10

behavioral7

Score
10/10

behavioral8

Score
10/10

behavioral9

Score
10/10

behavioral10

Score
10/10

behavioral11

Score
3/10

behavioral12

Score
10/10

behavioral13

Score
10/10

behavioral14

Score
10/10

behavioral15

Score
10/10

behavioral16

Score
10/10

behavioral17

Score
6/10

behavioral18

Score
6/10

behavioral19

Score
7/10

behavioral20

Score
3/10

behavioral21

Score
8/10

behavioral22

Score
8/10

behavioral23

Score
10/10

behavioral24

Score
10/10

behavioral25

Score
10/10

behavioral26

Score
10/10

behavioral27

Score
10/10

behavioral28

Score
10/10

behavioral29

Score
7/10

behavioral30

Score
7/10

behavioral31

Score
3/10

behavioral32

Score
3/10