General
-
Target
6040081023533056.zip
-
Size
210.5MB
-
Sample
211109-qkrv3sfcg4
-
MD5
718122e481538fe9069b13d4ad3feccf
-
SHA1
bd021b079d05d335981651154afe30f158f3f036
-
SHA256
400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1
-
SHA512
5d24fa36f6caa029bb65c50dfea219ab66262bdd6b54a20eefabed7cb9c9c961c189e25304e43ceaf19a4eaa5c7c3618727d36fd3b9ac30b0d083227334dae12
Malware Config
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
http://bostoc.com/upload/
http://qianyoupj.cn/upload/
http://sleoppen.com/upload/
http://stempelbeton.at/upload/
Extracted
redline
she
135.181.129.119:4805
Extracted
redline
media12
91.121.67.60:2151
Extracted
redline
ANI
45.142.215.47:27643
194.104.136.5:46013
Extracted
socelars
http://www.hhgenice.top/
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://www.efxety.top/
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Extracted
vidar
48.1
937
-
profile_id
937
Extracted
redline
20kinstallov
95.217.123.66:57358
Extracted
redline
leyla01
135.181.129.119:4805
Extracted
raccoon
2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
-
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
Extracted
redline
media18
91.121.67.60:2151
Extracted
redline
fucker2
135.181.129.119:4805
Extracted
vidar
41.4
916
https://mas.to/@sslam
-
profile_id
916
Extracted
redline
media17
91.121.67.60:2151
Extracted
redline
fuck1
135.181.129.119:4805
Extracted
vidar
41.5
916
https://mas.to/@xeroxxx
-
profile_id
916
Extracted
redline
media13
91.121.67.60:2151
Extracted
vidar
41.3
916
https://mas.to/@oleg98
-
profile_id
916
Extracted
https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe
Extracted
redline
05.10
80.92.205.116:59599
Targets
-
-
Target
01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
-
Size
3.3MB
-
MD5
b5b1415b3890d0108ac53acd595497b9
-
SHA1
876eb8e34ecb3c1fea20e2c6b710346676ad2de2
-
SHA256
01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
-
SHA512
fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Score10/10-
Arkei
Arkei is an infostealer written in C++.
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Arkei Stealer Payload
-
Vidar Stealer
-
Xloader Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
-
Size
6.8MB
-
MD5
dcd0d8a4e476db4602f3beae6a60b4c9
-
SHA1
7906d0674d60685b06289db375eacf954e3185e3
-
SHA256
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
-
SHA512
62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
-
Size
5.6MB
-
MD5
a121db3e0809289a5c41c44958ff6fa0
-
SHA1
fd40bbe6eaeea4004046f65a8c647fabb35e1742
-
SHA256
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
-
SHA512
0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
-
Size
4.4MB
-
MD5
5fdb93aaa25f3b7e5a0a7d046e92df52
-
SHA1
450ea998b3090ef6922200b87e49fd0c7f543420
-
SHA256
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
-
SHA512
85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
-
Size
4.6MB
-
MD5
cc2c8271c80d294b35d51b0721d59ba5
-
SHA1
397ee3270770e940ee868d3d06d9feaed1599d79
-
SHA256
1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
-
SHA512
ecfd4c52c008a86ca387a00c530fcac2971080b5cabae4d91da425f3cb042ca2e363c5048c0ea7349ea446f4e3797c04448b84a863fbf9672dded861cc22f34c
Score10/10-
Arkei
Arkei is an infostealer written in C++.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Arkei Stealer Payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
-
Size
5.9MB
-
MD5
2054a395da9f7a789bef703c5d2d60c1
-
SHA1
f170cbc93d4fb3f4f92ccd88039272bf78bdfa89
-
SHA256
1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
-
SHA512
1439382b36a24d898fc769a742b05c2c9ad898a6e5750e0f7e813fd5d536834e44572061efb0c89af72c5a97c3502e9ee30c2c861154f0fbb4c4164e3880ffcf
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
-
Size
7.1MB
-
MD5
2b01f663d5244764e8c2d164d3345fd6
-
SHA1
2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3
-
SHA256
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
-
SHA512
2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
-
Size
3.4MB
-
MD5
8e909af6cbb66bc255609e7d86360e7c
-
SHA1
3b3fbbe358970adea4c69ea8a0251407697a09e0
-
SHA256
2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
-
SHA512
bd943f7562b3849695d5cec246366fc8fc811359edf890a41ed3169bd582e68b02c5831fca738b88a4d71c0e42dd3d202bc48cbc49bad24754465b410369826a
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
-
Size
4.6MB
-
MD5
664aed619fcf50da08dc9d74f48aad57
-
SHA1
995df8d6655cf256187df9bc9699bdd094c33616
-
SHA256
243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
-
SHA512
c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Xloader Payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
-
Size
3.9MB
-
MD5
e04c606d6936962fe40913b1654410d8
-
SHA1
37a7a94ea89f4697ad779a43c907deef4fd04f89
-
SHA256
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
-
SHA512
a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Vidar Stealer
-
Xloader Payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51
-
Size
8KB
-
MD5
af6e236e2635e451927e7e99f159709a
-
SHA1
ff5a827131c817a3bf95bb8b798b272101428618
-
SHA256
30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51
-
SHA512
4b4fd1668211f7193c0b41bb014015f9502b2b75cb0237500c4754e3925d16f719e5154b5fe3cc328d867cfd3cd480802d6150140a48ba5a6ca407100b4b08e6
Score1/10 -
-
-
Target
364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa
-
Size
5.6MB
-
MD5
395991dd927c34de92ef13d9dad8664a
-
SHA1
d7a6e083fc39aa0933865549dd553e83e7f486bf
-
SHA256
364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa
-
SHA512
f27eb6c9c63e1a40dc675b40b419481b95e27e4ceff042fe94a0ef8a77568844900d962485cfd7a1035203161693cba320375b5cc57cd12c51695a5252d78fb3
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00
-
Size
3.4MB
-
MD5
b1e9f93ed954f84cc0144c40c75f178f
-
SHA1
a11c3dc288597c4139fbcab21474dd69931b8668
-
SHA256
3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00
-
SHA512
6a3b1f513a5cdabdc6dae142fa9a61f683a2e514e0f4f1a5b20902eeb2d0918f636b600529ebf20020835d8b2b987d4123c94ee4755df1bb31274a5a4ee16da2
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375
-
Size
5.0MB
-
MD5
2b0ce83a2a1065ef402b7a50f45892fd
-
SHA1
d66a565247f9df9ac0bdb3725eee121e98d8914d
-
SHA256
4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375
-
SHA512
42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca
Score10/10-
Arkei
Arkei is an infostealer written in C++.
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Arkei Stealer Payload
-
Vidar Stealer
-
Xloader Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0
-
Size
5.9MB
-
MD5
1f998b076047371b95763abf57a2eb5f
-
SHA1
8ef5c726e13d658b2be905e5274cdb0ae5fd60ca
-
SHA256
4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0
-
SHA512
c9f3603af56effaee8a6027339d359c4954251d17d3168e638eba99fdfc25d1082de86d6bff601f985b4f8819b9808c4e2dcaa8b97947d9595edf791f986f716
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-