5ae571c619b6be1b6a9fc63705b19294.exe

Tags

Signatures

• Arkei

  Description

  Arkei is an infostealer written in C++.

  Tags

  stealerarkei

• Gozi, Gozi IFSB

  Description

  Gozi ISFB is a well-known and widely distributed banking trojan.

  Tags

  bankertrojangozi_ifsb

• MetaSploit

  Description

  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  Tags

  trojanbackdoormetasploit

• Modifies Windows Defender Real-time Protection settings

  Tags

  evasiontrojan

  TTPs

  Modify RegistryModify Existing ServiceDisabling Security Tools

• Process spawned unexpected child process

  Description

  This typically indicates the parent process was compromised via an exploit or macro.

• RedLine

  Description

  RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  Tags

  infostealerredline

• RedLine Payload

• SmokeLoader

  Description

  Modular backdoor trojan in use since 2014.

  Tags

  trojanbackdoorsmokeloader

• Socelars

  Description

  Socelars is an infostealer targeting browser cookies and credit card credentials.

  Tags

  stealersocelars

• Socelars Payload

• Vidar

  Description

  Vidar is an infostealer based on Arkei stealer.

  Tags

  stealervidar

• Arkei Stealer Payload

  Tags

  stealer

• Identifies VirtualBox via ACPI registry values (likely anti-VM)

  Tags

  evasion

  TTPs

  Query RegistryVirtualization/Sandbox Evasion

• Vidar Stealer

  Tags

  stealer

• Downloads MZ/PE file

• Executes dropped EXE

• Modifies Windows Firewall

  Tags

  evasion

  TTPs

  Modify Existing Service

• VMProtect packed file

  Description

  Detects executables packed with VMProtect commercial packer.

  Tags

  vmprotect

• Checks BIOS information in registry

  Description

  BIOS information is often read in order to detect sandboxing environments.

  TTPs

  Query RegistrySystem Information Discovery

• Checks computer location settings

  Description

  Looks up country code configured in the registry, likely geofence.

  TTPs

  Query RegistrySystem Information Discovery

• Loads dropped DLL

• Reads user/profile data of web browsers

  Description

  Infostealers often target stored browser data, which can include saved credentials etc.

  Tags

  spywarestealer

  TTPs

  Data from Local SystemCredentials in Files

• Themida packer

  Description

  Detects Themida, an advanced Windows software protection system.

  Tags

  themida

• Checks installed software on the system

  Description

  Looks up Uninstall key entries in the registry to enumerate software on the system.

  Tags

  discovery

  TTPs

  Query Registry

• Checks whether UAC is enabled

  Tags

  evasiontrojan

  TTPs

  System Information Discovery

• Legitimate hosting services abused for malware hosting/C2

  TTPs

  Web Service

• Looks up external IP address via web service

  Description

  Uses a legitimate IP lookup service to find the infected system's external IP.

• Looks up geolocation information via web service

  Description

  Uses a legitimate geolocation service to find the infected system's geolocation info.

• Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks