Resubmissions

10-11-2021 14:50

211110-r7nbvaeddr 10

08-11-2021 16:12

211108-tnmmbahgaj 10

08-11-2021 15:26

211108-svdsbaccf6 10

08-11-2021 14:48

211108-r6lfvshdfn 10

General

  • Target

    6711694555512832.zip

  • Size

    37.7MB

  • Sample

    211108-r6lfvshdfn

  • MD5

    aedf5548afa01555c3de174aa6bfc654

  • SHA1

    237aed5308abc0ebb8940a8418c7c5b65658cb06

  • SHA256

    64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

  • SHA512

    c3ca677f3e4d9c4aee2c9777dd2da0d4d319c2cc78760c244a45a221d92b955c158279eae8a8a0c12c3d2ab35e575ff5b5292633ff58c24aa7f7860883ecc565

Malware Config

Extracted

Family

socelars

C2

http://www.hhgenice.top/

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

xloader

Version

2.5

Campaign

s0iw

C2

http://www.kyiejenner.com/s0iw/

Decoy

ortopediamodelo.com

orimshirts.store

universecatholicweekly.info

yvettechan.com

sersaudavelsempre.online

face-booking.net

europeanretailgroup.com

umofan.com

roemahbajumuslim.online

joyrosecuisine.net

3dmaker.house

megdb.xyz

stereoshopie.info

gv5rm.com

tdc-trust.com

mcglobal.club

choral.works

onlineconsultantgroup.com

friscopaintandbody.com

midwestii.com

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

19425a9ea527ab0b3a94d8156a7d2f62d79d3b73

Attributes
  • url4cnc

    http://91.219.236.162/bimboDinotrex

    http://185.163.47.176/bimboDinotrex

    http://193.38.54.238/bimboDinotrex

    http://74.119.192.122/bimboDinotrex

    http://91.219.236.240/bimboDinotrex

    https://t.me/bimboDinotrex

rc4.plain
rc4.plain

Extracted

Family

redline

C2

45.9.20.149:10844

Extracted

Family

redline

Botnet

udptest

C2

193.56.146.64:65441

Extracted

Family

vidar

Version

47.9

Botnet

937

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    937

Extracted

Family

smokeloader

Version

2020

C2

http://misha.at/upload/

http://roohaniinfra.com/upload/

http://0axqpcc.cn/upload/

http://mayak-lombard.ru/upload/

http://mebel-lass.ru/upload/

http://dishakhan.com/upload/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32
rc4.i32

Extracted

Family

vidar

Version

47.9

Botnet

933

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    933

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes
  • url4cnc

    http://telegatt.top/oh12manymarty

    http://telegka.top/oh12manymarty

    http://telegin.top/oh12manymarty

    https://t.me/oh12manymarty

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

Chris

C2

194.104.136.5:46013

Extracted

Family

redline

Botnet

media18

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

media20

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

media25

C2

91.121.67.60:23325

Extracted

Family

redline

Botnet

ChrisNEW

C2

194.104.136.5:46013

Extracted

Family

vidar

Version

41.6

Botnet

933

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    933

Extracted

Family

redline

Botnet

media29

C2

91.121.67.60:23325

Extracted

Family

redline

Botnet

srtupdate33

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

chris

C2

194.104.136.5:46013

Targets

    • Target

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • Size

      403KB

    • MD5

      f957e397e71010885b67f2afe37d8161

    • SHA1

      a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

    • SHA256

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • SHA512

      8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Modifies Windows Defender Real-time Protection settings

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Vidar Stealer

    • Xloader Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef

    • Size

      4.7MB

    • MD5

      0cc50985a2e8ae4f126dabb4b6a1c2be

    • SHA1

      4d20dd812a0b2d47f4b9b511538125a1ad5d917c

    • SHA256

      4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef

    • SHA512

      9916db8f6dcc3532d3f205d3d96154cdb511ac3b135a874f72f47be251feeedc3a83b9304f132b1e680b48b2d820dd88a2692cc1080baf88be4ffcb45d2cc439

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3

    • Size

      4.6MB

    • MD5

      4f85f62146d5148f290ff107d4380941

    • SHA1

      5c513bcc232f36d97c2e893d1c763f3cbbf554ff

    • SHA256

      578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3

    • SHA512

      bc4ae4f7101b20ab649ea2a44d5da42875af5068c33c1772960c342cc8731bddfdabd721fb31a49523ea957615252d567a00346035bddacfa58cf97853587594

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • Size

      3.6MB

    • MD5

      9725f7f222530388cb2743504a6e0667

    • SHA1

      56d0eb91855e326b050c904147f4d9dafc596d70

    • SHA256

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • SHA512

      ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Vidar Stealer

    • Xloader Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

    • Size

      4.4MB

    • MD5

      bfc2137972c74edea0f9791b94486e9b

    • SHA1

      fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3

    • SHA256

      a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

    • SHA512

      9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0

    • Size

      3.5MB

    • MD5

      a75539ada819b941531f116f3d50b13b

    • SHA1

      942d264f3b0cc866c84114a06be4fa7aeb905b3c

    • SHA256

      acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0

    • SHA512

      ee89498995cc1a9a91c754c391082f7e38fa22fee413033b6cb9318a0008baa7e8bfcf2a1c3aebc3fa1c0cbace33c27b8979953868b01dc296c9e01e0c8e3b49

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2

    • Size

      5.6MB

    • MD5

      5802bc4fd763cd759b7875e94f9f2eaf

    • SHA1

      91eaa6e6f9b5c52a2b91806bfbf513ed336e3f6a

    • SHA256

      cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2

    • SHA512

      91f9c64c61456c91e74cad1c8a5f9aca54e44f00612085721c1b2ad8e9305679f3ed562939b0505843c06b619ab8f4818f3a537e33c122a02569cf080d13181a

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    • Target

      db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12

    • Size

      4.6MB

    • MD5

      c7f1d6db5efddf8b46441be0edfaadfd

    • SHA1

      e27a2fab7ac49b1709c8d9e0183b020f1be61fc6

    • SHA256

      db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12

    • SHA512

      856e4f8a48848b5ddc42af7c282fdbc87df641665c0a0fdb28d5af2b6ac3299d9ae3c9b9d25b145816092abd248df32c9ea4f72ea59217b50460d48fb95ecb9a

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

    • Size

      834KB

    • MD5

      2c25a0926e5228d2205b3b8c8ef4d7f4

    • SHA1

      5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409

    • SHA256

      e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

    • SHA512

      cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb

    • Size

      5.9MB

    • MD5

      00987bdf68fafbdfa9dd1365a6827d72

    • SHA1

      f205c391087833eeb978895d37c2e199c4bf2747

    • SHA256

      f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb

    • SHA512

      9fb4e297f48a95d31a3bc82159b7304f29f50d9e7b823a91b6af02453deca7cf5ef50698b1aee9f00120c1d5d90de1b0fdbb5c92fedbc5823eea743d9e3e6319

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

8
T1053

Persistence

Modify Existing Service

10
T1031

Scheduled Task

8
T1053

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Scheduled Task

8
T1053

Defense Evasion

Modify Registry

9
T1112

Disabling Security Tools

5
T1089

Virtualization/Sandbox Evasion

2
T1497

Install Root Certificate

2
T1130

Credential Access

Credentials in Files

8
T1081

Discovery

Query Registry

18
T1012

System Information Discovery

27
T1082

Virtualization/Sandbox Evasion

2
T1497

Peripheral Device Discovery

4
T1120

Collection

Data from Local System

8
T1005

Command and Control

Web Service

9
T1102

Tasks

static1

Score
N/A

behavioral1

evasionspywarestealersuricatatrojan
Score
10/10

behavioral2

gozi_ifsbraccoonredlinesmokeloadersocelarsvidarxloader19425a9ea527ab0b3a94d8156a7d2f62d79d3b73933937udptests0iwbackdoorbankerevasioninfostealerloaderratspywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral3

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral4

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5chrisfucker2aspackv2backdoorevasioninfostealerstealersuricatathemidatrojan
Score
10/10

behavioral5

raccoonredlinesocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2discoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral6

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5chrisfucker2media18aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
Score
10/10

behavioral7

redlinesmokeloaderaspackv2backdoorinfostealersuricatatrojan
Score
10/10

behavioral8

redlinesmokeloadervidarxloader937chrisfucker2s0iwaspackv2backdoorevasioninfostealerloaderratspywarestealersuricatathemidatrojan
Score
10/10

behavioral9

redlinesocelarsaspackv2infostealerstealersuricata
Score
10/10

behavioral10

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5chrisfucker2media18aspackv2backdoorevasioninfostealerstealersuricatathemidatrojan
Score
10/10

behavioral11

redlinesmokeloaderchrisfucker2aspackv2backdoorinfostealersuricatatrojan
Score
10/10

behavioral12

redlinesmokeloadervidar937chrisfucker2media20aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral13

redlinesmokeloadersocelarsaspackv2backdoorinfostealerstealersuricatatrojan
Score
10/10

behavioral14

redlinesmokeloadersocelarschrisnewmedia25aspackv2backdoorinfostealerstealertrojan
Score
10/10

behavioral15

redlinesmokeloadersocelarsmedia18aspackv2backdoorinfostealerstealersuricatatrojan
Score
10/10

behavioral16

raccoonredlinesmokeloadersocelarsvidar2f2ad1a1aa093c5a9d17040c8efd5650a99640b5937fucker2media18aspackv2backdoorevasioninfostealerstealersuricatathemidatrojan
Score
10/10

behavioral17

suricata
Score
10/10

behavioral18

suricata
Score
10/10

behavioral19

redlinesmokeloadersocelarsvidar933aspackv2backdoorinfostealerstealersuricatatrojan
Score
10/10

behavioral20

redlinesmokeloadersocelarsvidar933chrismedia29srtupdate33aspackv2backdoorinfostealerspywarestealersuricatatrojan
Score
10/10