Overview

overview

10

Static

static

01a53007f9...68.exe

windows7_x64

10

01a53007f9...68.exe

windows10_x64

10

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

02ca2b5bb7...35.exe

windows7_x64

10

02ca2b5bb7...35.exe

windows10_x64

10

0d69cafe70...cd.exe

windows7_x64

10

0d69cafe70...cd.exe

windows10_x64

10

0df647f0a2...bc.exe

windows7_x64

10

0df647f0a2...bc.exe

windows10_x64

10

1df367eead...2c.exe

windows7_x64

10

1df367eead...2c.exe

windows10_x64

10

1e083736ae...33.exe

windows7_x64

10

1e083736ae...33.exe

windows10_x64

10

1e662d9025...7d.exe

windows7_x64

10

1e662d9025...7d.exe

windows10_x64

10

2010009ff5...59.exe

windows7_x64

10

2010009ff5...59.exe

windows10_x64

10

243379992d...93.exe

windows7_x64

10

243379992d...93.exe

windows10_x64

10

2d63a14e4a...1a.exe

windows7_x64

10

2d63a14e4a...1a.exe

windows10_x64

10

30e6815ae0...51.exe

windows7_x64

1

30e6815ae0...51.exe

windows10_x64

1

364d3b0e94...fa.exe

windows7_x64

10

364d3b0e94...fa.exe

windows10_x64

10

3a4e2dfbd7...00.exe

windows7_x64

10

3a4e2dfbd7...00.exe

windows10_x64

10

4a4a606501...75.exe

windows7_x64

10

4a4a606501...75.exe

windows10_x64

10

4d89b00768...c0.exe

windows7_x64

10

4d89b00768...c0.exe

windows10_x64

10

Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6040081023533056.zip

  • Size

    210.5MB

  • Sample

    211109-qkrv3sfcg4

  • MD5

    718122e481538fe9069b13d4ad3feccf

  • SHA1

    bd021b079d05d335981651154afe30f158f3f036

  • SHA256

    400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

  • SHA512

    5d24fa36f6caa029bb65c50dfea219ab66262bdd6b54a20eefabed7cb9c9c961c189e25304e43ceaf19a4eaa5c7c3618727d36fd3b9ac30b0d083227334dae12

Score
10/10
arkeigozi_ifsbraccoonredlinesmokeloadersocelarsvidarxloader05.1020kinstallov2f2ad1a1aa093c5a9d17040c8efd5650a99640b5916937anifuck1fucker2leyla01media12media13media17media18shes0iwaspackv2backdoorbankerdiscoveryevasioninfostealerloaderratspywarestealerthemidatrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

http://bostoc.com/upload/

http://qianyoupj.cn/upload/

http://sleoppen.com/upload/

http://stempelbeton.at/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

media12

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

194.104.136.5:46013

Extracted

Family

socelars

C2

http://www.hhgenice.top/

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

http://www.efxety.top/

Extracted

Family

xloader

Version

2.5

Campaign

s0iw

C2

http://www.kyiejenner.com/s0iw/

Decoy

ortopediamodelo.com

orimshirts.store

universecatholicweekly.info

yvettechan.com

sersaudavelsempre.online

face-booking.net

europeanretailgroup.com

umofan.com

roemahbajumuslim.online

joyrosecuisine.net

3dmaker.house

megdb.xyz

stereoshopie.info

gv5rm.com

tdc-trust.com

mcglobal.club

choral.works

onlineconsultantgroup.com

friscopaintandbody.com

midwestii.com

Extracted

Family

vidar

Version

48.1

Botnet

937

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

20kinstallov

C2

95.217.123.66:57358

Extracted

Family

redline

Botnet

leyla01

C2

135.181.129.119:4805

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes
  • url4cnc

    http://telegatt.top/oh12manymarty

    http://telegka.top/oh12manymarty

    http://telegin.top/oh12manymarty

    https://t.me/oh12manymarty

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

media18

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Extracted

Family

vidar

Version

41.4

Botnet

916

C2

https://mas.to/@sslam

Attributes
  • profile_id

    916

Extracted

Family

redline

Botnet

media17

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

fuck1

C2

135.181.129.119:4805

Extracted

Family

vidar

Version

41.5

Botnet

916

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    916

Extracted

Family

redline

Botnet

media13

C2

91.121.67.60:2151

Extracted

Family

vidar

Version

41.3

Botnet

916

C2

https://mas.to/@oleg98

Attributes
  • profile_id

    916

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe

Extracted

Family

redline

Botnet

05.10

C2

80.92.205.116:59599

Targets

    • Target

      01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

    • Size

      3.3MB

    • MD5

      b5b1415b3890d0108ac53acd595497b9

    • SHA1

      876eb8e34ecb3c1fea20e2c6b710346676ad2de2

    • SHA256

      01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

    • SHA512

      fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0

    Score
    10/10
    redlinesmokeloaderanimedia12sheaspackv2backdoorevasioninfostealerspywarestealertrojanthemida

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • Size

      403KB

    • MD5

      f957e397e71010885b67f2afe37d8161

    • SHA1

      a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

    • SHA256

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • SHA512

      8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

    Score
    10/10
    evasionspywarestealertrojanarkeigozi_ifsbredlinesocelarsvidarxloader20kinstallov937leyla01s0iwbankerinfostealerloaderratthemidavmprotect

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Arkei Stealer Payload

      stealer

    • Vidar Stealer

      stealer

    • Xloader Payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral3behavioral4

    • Target

      02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135

    • Size

      6.8MB

    • MD5

      dcd0d8a4e476db4602f3beae6a60b4c9

    • SHA1

      7906d0674d60685b06289db375eacf954e3185e3

    • SHA256

      02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135

    • SHA512

      62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8

    Score
    10/10
    redlinesmokeloadersocelarsanisheaspackv2backdoordiscoveryevasioninfostealerspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd

    • Size

      5.6MB

    • MD5

      a121db3e0809289a5c41c44958ff6fa0

    • SHA1

      fd40bbe6eaeea4004046f65a8c647fabb35e1742

    • SHA256

      0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd

    • SHA512

      0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f

    Score
    10/10
    redlinesmokeloadersocelarssheaspackv2backdoordiscoveryevasioninfostealerspywarestealertrojanvidar937ani

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc

    • Size

      4.4MB

    • MD5

      5fdb93aaa25f3b7e5a0a7d046e92df52

    • SHA1

      450ea998b3090ef6922200b87e49fd0c7f543420

    • SHA256

      0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc

    • SHA512

      85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6

    Score
    10/10
    raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoorevasioninfostealerspywarestealertrojanfucker2media18

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c

    • Size

      4.6MB

    • MD5

      cc2c8271c80d294b35d51b0721d59ba5

    • SHA1

      397ee3270770e940ee868d3d06d9feaed1599d79

    • SHA256

      1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c

    • SHA512

      ecfd4c52c008a86ca387a00c530fcac2971080b5cabae4d91da425f3cb042ca2e363c5048c0ea7349ea446f4e3797c04448b84a863fbf9672dded861cc22f34c

    Score
    10/10
    raccoonredlinesocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2aspackv2infostealerstealerarkeismokeloadermedia18backdoorevasiontrojan

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Arkei Stealer Payload

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral11behavioral12

    • Target

      1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433

    • Size

      5.9MB

    • MD5

      2054a395da9f7a789bef703c5d2d60c1

    • SHA1

      f170cbc93d4fb3f4f92ccd88039272bf78bdfa89

    • SHA256

      1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433

    • SHA512

      1439382b36a24d898fc769a742b05c2c9ad898a6e5750e0f7e813fd5d536834e44572061efb0c89af72c5a97c3502e9ee30c2c861154f0fbb4c4164e3880ffcf

    Score
    10/10
    redlinesocelarsvidar916animedia17aspackv2infostealerstealersmokeloader937backdoorevasionspywaretrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral13behavioral14

    • Target

      1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d

    • Size

      7.1MB

    • MD5

      2b01f663d5244764e8c2d164d3345fd6

    • SHA1

      2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3

    • SHA256

      1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d

    • SHA512

      2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4

    Score
    10/10
    raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fuck1aspackv2backdoorinfostealerspywarestealertrojanvidar916media18evasion

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859

    • Size

      3.4MB

    • MD5

      8e909af6cbb66bc255609e7d86360e7c

    • SHA1

      3b3fbbe358970adea4c69ea8a0251407697a09e0

    • SHA256

      2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859

    • SHA512

      bd943f7562b3849695d5cec246366fc8fc811359edf890a41ed3169bd582e68b02c5831fca738b88a4d71c0e42dd3d202bc48cbc49bad24754465b410369826a

    Score
    10/10
    redlinesmokeloadermedia13sheaspackv2backdoorevasioninfostealerspywarestealertrojansocelarsani

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493

    • Size

      4.6MB

    • MD5

      664aed619fcf50da08dc9d74f48aad57

    • SHA1

      995df8d6655cf256187df9bc9699bdd094c33616

    • SHA256

      243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493

    • SHA512

      c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc

    Score
    10/10
    raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5media18aspackv2backdoorevasioninfostealerspywarestealertrojanvidarxloader937fucker2s0iwloaderrat

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Xloader Payload

      rat

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a

    • Size

      3.9MB

    • MD5

      e04c606d6936962fe40913b1654410d8

    • SHA1

      37a7a94ea89f4697ad779a43c907deef4fd04f89

    • SHA256

      2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a

    • SHA512

      a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2

    Score
    10/10
    redlinesmokeloadersocelarsanisheaspackv2backdoorinfostealerspywarestealertrojanvidarxloader937s0iwevasionloaderratthemida

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Vidar Stealer

      stealer

    • Xloader Payload

      rat

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51

    • Size

      8KB

    • MD5

      af6e236e2635e451927e7e99f159709a

    • SHA1

      ff5a827131c817a3bf95bb8b798b272101428618

    • SHA256

      30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51

    • SHA512

      4b4fd1668211f7193c0b41bb014015f9502b2b75cb0237500c4754e3925d16f719e5154b5fe3cc328d867cfd3cd480802d6150140a48ba5a6ca407100b4b08e6

    Score
    1/10
    behavioral23behavioral24

    • Target

      364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa

    • Size

      5.6MB

    • MD5

      395991dd927c34de92ef13d9dad8664a

    • SHA1

      d7a6e083fc39aa0933865549dd553e83e7f486bf

    • SHA256

      364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa

    • SHA512

      f27eb6c9c63e1a40dc675b40b419481b95e27e4ceff042fe94a0ef8a77568844900d962485cfd7a1035203161693cba320375b5cc57cd12c51695a5252d78fb3

    Score
    10/10
    redlinesmokeloadersocelarsvidar916aspackv2backdoorinfostealerstealertrojananisheevasionspyware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral25behavioral26

    • Target

      3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00

    • Size

      3.4MB

    • MD5

      b1e9f93ed954f84cc0144c40c75f178f

    • SHA1

      a11c3dc288597c4139fbcab21474dd69931b8668

    • SHA256

      3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00

    • SHA512

      6a3b1f513a5cdabdc6dae142fa9a61f683a2e514e0f4f1a5b20902eeb2d0918f636b600529ebf20020835d8b2b987d4123c94ee4755df1bb31274a5a4ee16da2

    Score
    10/10
    redlinesmokeloadermedia13sheaspackv2backdoorevasioninfostealerspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

    • Size

      5.0MB

    • MD5

      2b0ce83a2a1065ef402b7a50f45892fd

    • SHA1

      d66a565247f9df9ac0bdb3725eee121e98d8914d

    • SHA256

      4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

    • SHA512

      42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca

    Score
    10/10
    redlinesmokeloadersocelars05.10backdoorevasioninfostealerspywarestealertrojanarkeividarxloaders0iwloaderratthemidavmprotect

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Arkei Stealer Payload

      stealer

    • Vidar Stealer

      stealer

    • Xloader Payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0

    • Size

      5.9MB

    • MD5

      1f998b076047371b95763abf57a2eb5f

    • SHA1

      8ef5c726e13d658b2be905e5274cdb0ae5fd60ca

    • SHA256

      4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0

    • SHA512

      c9f3603af56effaee8a6027339d359c4954251d17d3168e638eba99fdfc25d1082de86d6bff601f985b4f8819b9808c4e2dcaa8b97947d9595edf791f986f716

    Score
    10/10
    socelarsaspackv2spywarestealerredlinesmokeloadervidar916anibackdoorevasioninfostealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

redlinesmokeloaderanimedia12sheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral2

redlinesmokeloaderanimedia12sheaspackv2backdoorinfostealerspywarestealerthemidatrojan
Score
10/10

behavioral3

evasionspywarestealertrojan
Score
10/10

behavioral4

arkeigozi_ifsbredlinesocelarsvidarxloader20kinstallov937leyla01s0iwbankerevasioninfostealerloaderratspywarestealerthemidatrojanvmprotect
Score
10/10

behavioral5

redlinesmokeloadersocelarsanisheaspackv2backdoordiscoveryevasioninfostealerspywarestealertrojan
Score
10/10

behavioral6

redlinesmokeloadersocelarsanisheaspackv2backdoorinfostealerspywarestealertrojan
Score
10/10

behavioral7

redlinesmokeloadersocelarssheaspackv2backdoordiscoveryevasioninfostealerspywarestealertrojan
Score
10/10

behavioral8

redlinesmokeloadersocelarsvidar937anisheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral9

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral10

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2media18aspackv2backdoorevasioninfostealerstealertrojan
Score
10/10

behavioral11

raccoonredlinesocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2aspackv2infostealerstealer
Score
10/10

behavioral12

arkeiraccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2media18aspackv2backdoorevasioninfostealerstealertrojan
Score
10/10

behavioral13

redlinesocelarsvidar916animedia17aspackv2infostealerstealer
Score
10/10

behavioral14

redlinesmokeloadersocelarsvidar916937animedia17aspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral15

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fuck1aspackv2backdoorinfostealerspywarestealertrojan
Score
10/10

behavioral16

raccoonredlinesmokeloadersocelarsvidar2f2ad1a1aa093c5a9d17040c8efd5650a99640b5916fuck1media18aspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral17

redlinesmokeloadermedia13sheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral18

redlinesmokeloadersocelarsanisheaspackv2backdoorinfostealerspywarestealertrojan
Score
10/10

behavioral19

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5media18aspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral20

raccoonredlinesocelarsvidarxloader2f2ad1a1aa093c5a9d17040c8efd5650a99640b5937fucker2media18s0iwaspackv2evasioninfostealerloaderratspywarestealertrojan
Score
10/10

behavioral21

redlinesmokeloadersocelarsanisheaspackv2backdoorinfostealerspywarestealertrojan
Score
10/10

behavioral22

redlinesmokeloadersocelarsvidarxloader937anishes0iwaspackv2backdoorevasioninfostealerloaderratspywarestealerthemidatrojan
Score
10/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

redlinesmokeloadersocelarsvidar916aspackv2backdoorinfostealerstealertrojan
Score
10/10

behavioral26

redlinesmokeloadersocelarsvidar916anisheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral27

redlinesmokeloadermedia13sheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral28

redlinesmokeloadersheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral29

redlinesmokeloadersocelars05.10backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral30

arkeiredlinesmokeloadersocelarsvidarxloader05.10s0iwbackdoorevasioninfostealerloaderratspywarestealerthemidatrojanvmprotect
Score
10/10

behavioral31

socelarsaspackv2spywarestealer
Score
10/10

behavioral32

redlinesmokeloadersocelarsvidar916aniaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10