Description
Formbook is a data stealing malware which is capable of stealing data.
setup_x86_x64_install.exe
5MB
211028-vfmssabhg4
3ad67010f1d4a291524a848856543ec8
586eeb28c512f63371f1bb3fd2ff5014be13aecf
a65439ee7ce834a2fe1bbdbe3030c9221f02a0460ba510c41ea4f246de5ac439
86dba408b3cb93300a6d20f46216011e01bb6b0589984d22e338723beb266114ae07d9ede786189604fdaf9ce3c02d77639605f94d2b3c122031c3615d146e83
Family | smokeloader |
Version | 2020 |
C2 |
http://brandyjaggers.com/upload/ http://andbal.com/upload/ http://alotofquotes.com/upload/ http://szpnc.cn/upload/ http://uggeboots.com/upload/ http://100klv.com/upload/ http://rapmusic.at/upload/ |
rc4.i32 |
|
rc4.i32 |
|
Language | ps1 |
Deobfuscated |
|
URLs |
ps1.dropper
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1 |
Family | redline |
Botnet | sert23 |
C2 |
135.181.129.119:4805 |
Family | redline |
Botnet | chris |
C2 |
194.104.136.5:46013 |
Family | vidar |
Version | 41.6 |
Botnet | 933 |
C2 |
https://mas.to/@lilocc |
Attributes |
profile_id 933 |
setup_x86_x64_install.exe
3ad67010f1d4a291524a848856543ec8
5MB
586eeb28c512f63371f1bb3fd2ff5014be13aecf
a65439ee7ce834a2fe1bbdbe3030c9221f02a0460ba510c41ea4f246de5ac439
86dba408b3cb93300a6d20f46216011e01bb6b0589984d22e338723beb266114ae07d9ede786189604fdaf9ce3c02d77639605f94d2b3c122031c3615d146e83
Formbook is a data stealing malware which is capable of stealing data.
This typically indicates the parent process was compromised via an exploit or macro.
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Modular backdoor trojan in use since 2014.
Socelars is an infostealer targeting browser cookies and credit card credentials.
Vidar is an infostealer based on Arkei stealer.
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
Uses net.exe to modify the user's privileges.
Detects executables packed with ASPack v2.12-2.42
BIOS information is often read in order to detect sandboxing environments.
Looks up country code configured in the registry, likely geofence.
Infostealers often target stored browser data, which can include saved credentials etc.
Looks up Uninstall key entries in the registry to enumerate software on the system.
Attempts to read the root path of hard drives other than the default C: drive.
Uses a legitimate IP lookup service to find the infected system's external IP.