Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows11_x64

10

022e3c30a1...66.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows11_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows11_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows11_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows11_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows11_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

10

cbf31d825a...d2.exe

windows11_x64

10

cbf31d825a...d2.exe

windows10_x64

10

db76a117db...12.exe

windows7_x64

10

db76a117db...12.exe

windows11_x64

10

db76a117db...12.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows7_x64

10

e2ffb8aeeb...f6.exe

windows11_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

10

f2196668f4...cb.exe

windows7_x64

10

f2196668f4...cb.exe

windows11_x64

10

f2196668f4...cb.exe

windows10_x64

10

Resubmissions

10/11/2021, 14:50

211110-r7nbvaeddr 10

08/11/2021, 16:12

211108-tnmmbahgaj 10

08/11/2021, 15:26

211108-svdsbaccf6 10

08/11/2021, 14:48

211108-r6lfvshdfn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6711694555512832.zip

  • Size

    37.7MB

  • Sample

    211110-r7nbvaeddr

  • MD5

    aedf5548afa01555c3de174aa6bfc654

  • SHA1

    237aed5308abc0ebb8940a8418c7c5b65658cb06

  • SHA256

    64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

  • SHA512

    c3ca677f3e4d9c4aee2c9777dd2da0d4d319c2cc78760c244a45a221d92b955c158279eae8a8a0c12c3d2ab35e575ff5b5292633ff58c24aa7f7860883ecc565

Score
10/10
arkeigozi_ifsbmetasploitraccoonredlinesmokeloadersocelarsvidar1011h2f2ad1a1aa093c5a9d17040c8efd5650a99640b5937chrischrisnewfucker2media18media20media25media29srtupdate33udptestaspackv2backdoorbankerdiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojanvmprotect

Malware Config

Extracted

Family

socelars

C2

http://www.hhgenice.top/

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

C2

tatreriash.xyz:80

Extracted

Family

smokeloader

Version

2020

C2

http://nalirou70.top/

http://xacokuo80.top/

http://misha.at/upload/

http://roohaniinfra.com/upload/

http://0axqpcc.cn/upload/

http://mayak-lombard.ru/upload/

http://mebel-lass.ru/upload/

http://dishakhan.com/upload/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

udptest

C2

193.56.146.64:65441

Extracted

Family

redline

Botnet

1011h

C2

charirelay.xyz:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes
  • url4cnc

    http://telegatt.top/oh12manymarty

    http://telegka.top/oh12manymarty

    http://telegin.top/oh12manymarty

    https://t.me/oh12manymarty

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

Chris

C2

194.104.136.5:46013

Extracted

Family

redline

Botnet

media18

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Extracted

Family

vidar

Version

48.1

Botnet

937

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

media20

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

media25

C2

91.121.67.60:23325

Extracted

Family

redline

Botnet

ChrisNEW

C2

194.104.136.5:46013

Extracted

Family

redline

Botnet

chris

C2

194.104.136.5:46013

Extracted

Family

redline

Botnet

media29

C2

91.121.67.60:23325

Extracted

Family

redline

Botnet

srtupdate33

C2

135.181.129.119:4805

Targets

    • Target

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • Size

      403KB

    • MD5

      f957e397e71010885b67f2afe37d8161

    • SHA1

      a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

    • SHA256

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • SHA512

      8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

    Score
    10/10
    evasionspywarestealersuricatatrojanarkeigozi_ifsbredlinesmokeloadersocelarsvidarbackdoorbankerdiscoveryinfostealerthemidavmprotectmetasploit1011hudptest

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata

    • Arkei Stealer Payload

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

    • Target

      4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef

    • Size

      4.7MB

    • MD5

      0cc50985a2e8ae4f126dabb4b6a1c2be

    • SHA1

      4d20dd812a0b2d47f4b9b511538125a1ad5d917c

    • SHA256

      4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef

    • SHA512

      9916db8f6dcc3532d3f205d3d96154cdb511ac3b135a874f72f47be251feeedc3a83b9304f132b1e680b48b2d820dd88a2692cc1080baf88be4ffcb45d2cc439

    Score
    10/10
    raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoordiscoveryevasioninfostealerspywarestealersuricatatrojanvidarchrisfucker2media18937

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral4behavioral5behavioral6

    • Target

      578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3

    • Size

      4.6MB

    • MD5

      4f85f62146d5148f290ff107d4380941

    • SHA1

      5c513bcc232f36d97c2e893d1c763f3cbbf554ff

    • SHA256

      578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3

    • SHA512

      bc4ae4f7101b20ab649ea2a44d5da42875af5068c33c1772960c342cc8731bddfdabd721fb31a49523ea957615252d567a00346035bddacfa58cf97853587594

    Score
    10/10
    raccoonsmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoorevasionspywarestealersuricatatrojanredlinechrisfucker2infostealerpersistencemedia18

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8behavioral9

    • Target

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • Size

      3.6MB

    • MD5

      9725f7f222530388cb2743504a6e0667

    • SHA1

      56d0eb91855e326b050c904147f4d9dafc596d70

    • SHA256

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • SHA512

      ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663

    Score
    10/10
    redlinesmokeloaderchrisfucker2media20aspackv2backdoorevasioninfostealerspywarestealersuricatatrojanpersistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral10behavioral11behavioral12

    • Target

      a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

    • Size

      4.4MB

    • MD5

      bfc2137972c74edea0f9791b94486e9b

    • SHA1

      fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3

    • SHA256

      a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

    • SHA512

      9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75

    Score
    10/10
    raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5media18aspackv2backdoorevasioninfostealerspywarestealersuricatatrojanchris

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral13behavioral14behavioral15

    • Target

      acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0

    • Size

      3.5MB

    • MD5

      a75539ada819b941531f116f3d50b13b

    • SHA1

      942d264f3b0cc866c84114a06be4fa7aeb905b3c

    • SHA256

      acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0

    • SHA512

      ee89498995cc1a9a91c754c391082f7e38fa22fee413033b6cb9318a0008baa7e8bfcf2a1c3aebc3fa1c0cbace33c27b8979953868b01dc296c9e01e0c8e3b49

    Score
    10/10
    redlinesmokeloaderaspackv2backdoorevasioninfostealerspywarestealersuricatatrojanchrisfucker2media20persistencevidar937

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral16behavioral17behavioral18

    • Target

      cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2

    • Size

      5.6MB

    • MD5

      5802bc4fd763cd759b7875e94f9f2eaf

    • SHA1

      91eaa6e6f9b5c52a2b91806bfbf513ed336e3f6a

    • SHA256

      cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2

    • SHA512

      91f9c64c61456c91e74cad1c8a5f9aca54e44f00612085721c1b2ad8e9305679f3ed562939b0505843c06b619ab8f4818f3a537e33c122a02569cf080d13181a

    Score
    10/10
    redlinesmokeloadersocelarsaspackv2backdoordiscoveryevasioninfostealerspywarestealersuricatatrojanchrisnewmedia25persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    behavioral19behavioral20behavioral21

    • Target

      db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12

    • Size

      4.6MB

    • MD5

      c7f1d6db5efddf8b46441be0edfaadfd

    • SHA1

      e27a2fab7ac49b1709c8d9e0183b020f1be61fc6

    • SHA256

      db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12

    • SHA512

      856e4f8a48848b5ddc42af7c282fdbc87df641665c0a0fdb28d5af2b6ac3299d9ae3c9b9d25b145816092abd248df32c9ea4f72ea59217b50460d48fb95ecb9a

    Score
    10/10
    raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2aspackv2backdoorinfostealerstealersuricatatrojanarkeividarmedia18evasion

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata

    • Arkei Stealer Payload

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral22behavioral23behavioral24

    • Target

      e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

    • Size

      834KB

    • MD5

      2c25a0926e5228d2205b3b8c8ef4d7f4

    • SHA1

      5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409

    • SHA256

      e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

    • SHA512

      cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468

    Score
    10/10
    suricata

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral25behavioral26behavioral27

    • Target

      f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb

    • Size

      5.9MB

    • MD5

      00987bdf68fafbdfa9dd1365a6827d72

    • SHA1

      f205c391087833eeb978895d37c2e199c4bf2747

    • SHA256

      f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb

    • SHA512

      9fb4e297f48a95d31a3bc82159b7304f29f50d9e7b823a91b6af02453deca7cf5ef50698b1aee9f00120c1d5d90de1b0fdbb5c92fedbc5823eea743d9e3e6319

    Score
    10/10
    redlinesmokeloadersocelarsaspackv2backdoorinfostealerspywarestealersuricatatrojanvidarchrismedia29discoveryevasionpersistence937srtupdate33

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral28behavioral29behavioral30

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

evasionspywarestealersuricatatrojan
Score
10/10

behavioral2

arkeigozi_ifsbredlinesmokeloadersocelarsvidarbackdoorbankerdiscoveryevasioninfostealerspywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral3

metasploitredlinesmokeloadersocelars1011hudptestbackdoorevasioninfostealerspywarestealersuricatathemidatrojan
Score
10/10

behavioral4

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoordiscoveryevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral5

raccoonredlinesocelarsvidarchrisfucker2media18aspackv2evasioninfostealerstealersuricata
Score
10/10

behavioral6

raccoonredlinesmokeloadersocelarsvidar2f2ad1a1aa093c5a9d17040c8efd5650a99640b5937chrisfucker2media18aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10

behavioral7

raccoonsmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoorevasionspywarestealersuricatatrojan
Score
10/10

behavioral8

raccoonredlinesocelarschrisfucker2aspackv2evasioninfostealerpersistencestealersuricata
Score
10/10

behavioral9

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2media18aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10

behavioral10

redlinesmokeloaderchrisfucker2media20aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral11

redlinechrismedia20aspackv2infostealerpersistence
Score
10/10

behavioral12

redlinesmokeloaderchrisfucker2media20aspackv2backdoorinfostealerspywarestealersuricatatrojan
Score
10/10

behavioral13

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5media18aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral14

raccoonredlinesocelarsaspackv2evasioninfostealerstealersuricata
Score
10/10

behavioral15

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5chrismedia18aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10

behavioral16

redlinesmokeloaderaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral17

redlinechrisfucker2media20aspackv2evasioninfostealerpersistencesuricatatrojan
Score
10/10

behavioral18

redlinesmokeloadervidar937aspackv2backdoorinfostealerspywarestealersuricatatrojan
Score
10/10

behavioral19

redlinesmokeloadersocelarsaspackv2backdoordiscoveryevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral20

redlinesocelarschrisnewmedia25aspackv2evasioninfostealerpersistencestealersuricatatrojan
Score
10/10

behavioral21

redlinesmokeloadersocelarschrisnewmedia25aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10

behavioral22

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2aspackv2backdoorinfostealerstealersuricatatrojan
Score
10/10

behavioral23

arkeiraccoonredlinesmokeloadersocelarsvidarfucker2media18aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10

behavioral24

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2media18aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10

behavioral25

suricata
Score
10/10

behavioral26

Score
10/10

behavioral27

suricata
Score
10/10

behavioral28

redlinesmokeloadersocelarsaspackv2backdoorinfostealerspywarestealersuricatatrojan
Score
10/10

behavioral29

redlinesocelarsvidarchrismedia29aspackv2discoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral30

redlinesmokeloadersocelarsvidar937chrismedia29srtupdate33aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10