Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
022e3c30a1...66.exe
windows7_x64
10022e3c30a1...66.exe
windows11_x64
10022e3c30a1...66.exe
windows10_x64
104d27dca0a1...ef.exe
windows7_x64
104d27dca0a1...ef.exe
windows11_x64
104d27dca0a1...ef.exe
windows10_x64
10578a3a7a2b...b3.exe
windows7_x64
10578a3a7a2b...b3.exe
windows11_x64
10578a3a7a2b...b3.exe
windows10_x64
109c4880a98c...82.exe
windows7_x64
109c4880a98c...82.exe
windows11_x64
109c4880a98c...82.exe
windows10_x64
10a1dad4a83d...c4.exe
windows7_x64
10a1dad4a83d...c4.exe
windows11_x64
10a1dad4a83d...c4.exe
windows10_x64
10acf1b7d80f...e0.exe
windows7_x64
10acf1b7d80f...e0.exe
windows11_x64
10acf1b7d80f...e0.exe
windows10_x64
10cbf31d825a...d2.exe
windows7_x64
10cbf31d825a...d2.exe
windows11_x64
10cbf31d825a...d2.exe
windows10_x64
10db76a117db...12.exe
windows7_x64
10db76a117db...12.exe
windows11_x64
10db76a117db...12.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows7_x64
10e2ffb8aeeb...f6.exe
windows11_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10f2196668f4...cb.exe
windows7_x64
10f2196668f4...cb.exe
windows11_x64
10f2196668f4...cb.exe
windows10_x64
10General
-
Target
6711694555512832.zip
-
Size
37.7MB
-
Sample
211110-r7nbvaeddr
-
MD5
aedf5548afa01555c3de174aa6bfc654
-
SHA1
237aed5308abc0ebb8940a8418c7c5b65658cb06
-
SHA256
64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03
-
SHA512
c3ca677f3e4d9c4aee2c9777dd2da0d4d319c2cc78760c244a45a221d92b955c158279eae8a8a0c12c3d2ab35e575ff5b5292633ff58c24aa7f7860883ecc565
Static task
static1
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win11
Behavioral task
behavioral3
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-en-20211014
Behavioral task
behavioral4
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win7-en-20211104
Behavioral task
behavioral5
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win11
Behavioral task
behavioral6
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win11
Behavioral task
behavioral9
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-en-20211104
Behavioral task
behavioral10
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win7-en-20211014
Behavioral task
behavioral11
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win11
Behavioral task
behavioral12
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-en-20211014
Behavioral task
behavioral13
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win7-en-20211104
Behavioral task
behavioral14
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win11
Behavioral task
behavioral15
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-en-20211014
Behavioral task
behavioral16
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win7-en-20211104
Behavioral task
behavioral17
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win11
Behavioral task
behavioral18
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-en-20211014
Behavioral task
behavioral19
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win11
Behavioral task
behavioral21
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-en-20211014
Behavioral task
behavioral22
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win7-en-20211104
Behavioral task
behavioral23
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win11
Behavioral task
behavioral24
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win7-en-20211014
Behavioral task
behavioral26
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win11
Behavioral task
behavioral27
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-en-20211104
Behavioral task
behavioral28
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win7-en-20211014
Behavioral task
behavioral29
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win11
Behavioral task
behavioral30
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-en-20211104
Malware Config
Extracted
socelars
http://www.hhgenice.top/
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
tatreriash.xyz:80
Extracted
smokeloader
2020
http://nalirou70.top/
http://xacokuo80.top/
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Extracted
redline
udptest
193.56.146.64:65441
Extracted
redline
1011h
charirelay.xyz:80
Extracted
metasploit
windows/single_exec
Extracted
raccoon
2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
-
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
Extracted
redline
Chris
194.104.136.5:46013
Extracted
redline
media18
91.121.67.60:2151
Extracted
redline
fucker2
135.181.129.119:4805
Extracted
vidar
48.1
937
-
profile_id
937
Extracted
redline
media20
91.121.67.60:2151
Extracted
redline
media25
91.121.67.60:23325
Extracted
redline
ChrisNEW
194.104.136.5:46013
Extracted
redline
chris
194.104.136.5:46013
Extracted
redline
media29
91.121.67.60:23325
Extracted
redline
srtupdate33
135.181.129.119:4805
Targets
-
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef
-
Size
4.7MB
-
MD5
0cc50985a2e8ae4f126dabb4b6a1c2be
-
SHA1
4d20dd812a0b2d47f4b9b511538125a1ad5d917c
-
SHA256
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef
-
SHA512
9916db8f6dcc3532d3f205d3d96154cdb511ac3b135a874f72f47be251feeedc3a83b9304f132b1e680b48b2d820dd88a2692cc1080baf88be4ffcb45d2cc439
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3
-
Size
4.6MB
-
MD5
4f85f62146d5148f290ff107d4380941
-
SHA1
5c513bcc232f36d97c2e893d1c763f3cbbf554ff
-
SHA256
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3
-
SHA512
bc4ae4f7101b20ab649ea2a44d5da42875af5068c33c1772960c342cc8731bddfdabd721fb31a49523ea957615252d567a00346035bddacfa58cf97853587594
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
-
Size
3.6MB
-
MD5
9725f7f222530388cb2743504a6e0667
-
SHA1
56d0eb91855e326b050c904147f4d9dafc596d70
-
SHA256
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
-
SHA512
ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
-
Size
4.4MB
-
MD5
bfc2137972c74edea0f9791b94486e9b
-
SHA1
fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3
-
SHA256
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
-
SHA512
9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0
-
Size
3.5MB
-
MD5
a75539ada819b941531f116f3d50b13b
-
SHA1
942d264f3b0cc866c84114a06be4fa7aeb905b3c
-
SHA256
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0
-
SHA512
ee89498995cc1a9a91c754c391082f7e38fa22fee413033b6cb9318a0008baa7e8bfcf2a1c3aebc3fa1c0cbace33c27b8979953868b01dc296c9e01e0c8e3b49
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2
-
Size
5.6MB
-
MD5
5802bc4fd763cd759b7875e94f9f2eaf
-
SHA1
91eaa6e6f9b5c52a2b91806bfbf513ed336e3f6a
-
SHA256
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2
-
SHA512
91f9c64c61456c91e74cad1c8a5f9aca54e44f00612085721c1b2ad8e9305679f3ed562939b0505843c06b619ab8f4818f3a537e33c122a02569cf080d13181a
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-
-
-
Target
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12
-
Size
4.6MB
-
MD5
c7f1d6db5efddf8b46441be0edfaadfd
-
SHA1
e27a2fab7ac49b1709c8d9e0183b020f1be61fc6
-
SHA256
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12
-
SHA512
856e4f8a48848b5ddc42af7c282fdbc87df641665c0a0fdb28d5af2b6ac3299d9ae3c9b9d25b145816092abd248df32c9ea4f72ea59217b50460d48fb95ecb9a
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6
-
Size
834KB
-
MD5
2c25a0926e5228d2205b3b8c8ef4d7f4
-
SHA1
5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409
-
SHA256
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6
-
SHA512
cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb
-
Size
5.9MB
-
MD5
00987bdf68fafbdfa9dd1365a6827d72
-
SHA1
f205c391087833eeb978895d37c2e199c4bf2747
-
SHA256
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb
-
SHA512
9fb4e297f48a95d31a3bc82159b7304f29f50d9e7b823a91b6af02453deca7cf5ef50698b1aee9f00120c1d5d90de1b0fdbb5c92fedbc5823eea743d9e3e6319
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
5Virtualization/Sandbox Evasion
1Web Service
1