Amadey

Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

Formbook

Formbook is a data stealing malware which is capable of stealing data.

IcedID, BokBot

IcedID is a banking trojan capable of stealing credentials.

Modifies Windows Defender Real-time Protection settings

Modifies system executable filetype association

Process spawned unexpected child process

This typically indicates the parent process was compromised via an exploit or macro.

RedLine

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

RedLine Payload

Registers COM server for autorun

SmokeLoader

Modular backdoor trojan in use since 2014.

Socelars

Socelars is an infostealer targeting browser cookies and credit card credentials.

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Vidar is an infostealer based on Arkei stealer.

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE ClipBanker Variant Activity (POST)

suricata: ET MALWARE ClipBanker Variant Activity (POST)

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata: ET MALWARE Win32/IcedID Request Cookie

suricata: ET MALWARE Win32/IcedID Request Cookie

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

Grants admin privileges

Uses net.exe to modify the user's privileges.

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

ASPack v2.12-2.42

Detects executables packed with ASPack v2.12-2.42

Adds policy Run key to start application

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Possible privilege escalation attempt

Sets service image path in registry