6040081023533056.zip
6040081023533056.zip
210MB
211110-r84p8aedej
718122e481538fe9069b13d4ad3feccf
bd021b079d05d335981651154afe30f158f3f036
400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1
5d24fa36f6caa029bb65c50dfea219ab66262bdd6b54a20eefabed7cb9c9c961c189e25304e43ceaf19a4eaa5c7c3618727d36fd3b9ac30b0d083227334dae12
Extracted
Family | smokeloader |
Version | 2020 |
C2 |
http://gmpeople.com/upload/ http://mile48.com/upload/ http://lecanardstsornin.com/upload/ http://m3600.com/upload/ http://camasirx.com/upload/ http://nalirou70.top/ http://xacokuo80.top/ http://directorycart.com/upload/ http://tierzahnarzt.at/upload/ http://streetofcards.com/upload/ http://ycdfzd.com/upload/ http://successcoachceo.com/upload/ http://uhvu.cn/upload/ http://japanarticle.com/upload/ http://bostoc.com/upload/ http://qianyoupj.cn/upload/ http://sleoppen.com/upload/ http://stempelbeton.at/upload/ |
rc4.i32 |
|
rc4.i32 |
|
rc4.i32 |
|
rc4.i32 |
|
Extracted
Family | redline |
C2 |
tatreriash.xyz:80 |
Extracted
Family | redline |
Botnet | she |
C2 |
135.181.129.119:4805 |
Extracted
Family | socelars |
C2 |
http://www.hhgenice.top/ http://www.iyiqian.com/ http://www.hbgents.top/ http://www.rsnzhy.com/ http://www.znsjis.top/ http://www.efxety.top/ |
Extracted
Family | redline |
Botnet | udptest |
C2 |
193.56.146.64:65441 |
Extracted
Family | vidar |
Version | 48.1 |
Botnet | 937 |
Attributes |
profile_id 937 |
Extracted
Family | redline |
Botnet | 1011h |
C2 |
charirelay.xyz:80 |
Extracted
Family | redline |
Botnet | ANI |
C2 |
194.104.136.5:46013 45.142.215.47:27643 |
Extracted
Family | redline |
Botnet | media14 |
C2 |
91.121.67.60:2151 |
Extracted
Family | raccoon |
Botnet | 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 |
Attributes |
url4cnc http://telegatt.top/oh12manymarty http://telegka.top/oh12manymarty http://telegin.top/oh12manymarty https://t.me/oh12manymarty |
rc4.plain |
|
rc4.plain |
|
Extracted
Family | redline |
Botnet | Chris |
C2 |
194.104.136.5:46013 |
Extracted
Family | redline |
Botnet | media18 |
C2 |
91.121.67.60:2151 |
Extracted
Family | redline |
Botnet | fucker2 |
C2 |
135.181.129.119:4805 |
Extracted
Family | vidar |
Version | 41.4 |
Botnet | 916 |
C2 |
https://mas.to/@sslam |
Attributes |
profile_id 916 |
Extracted
Family | redline |
Botnet | media17 |
C2 |
91.121.67.60:2151 |
Extracted
Family | redline |
Botnet | fuck1 |
C2 |
135.181.129.119:4805 |
Extracted
Family | vidar |
Version | 41.5 |
Botnet | 916 |
C2 |
https://mas.to/@xeroxxx |
Attributes |
profile_id 916 |
Extracted
Family | redline |
Botnet | media13 |
C2 |
91.121.67.60:2151 |
Extracted
Language | ps1 |
Deobfuscated |
|
URLs |
ps1.dropper
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1 |
Extracted
Family | raccoon |
Version | 1.8.3-hotfix |
Botnet | fcdc156d3872c18d25e3ee45499599b45e492a67 |
Attributes |
url4cnc http://178.23.190.57/rino115sipsip http://91.219.236.162/rino115sipsip http://185.163.47.176/rino115sipsip http://193.38.54.238/rino115sipsip http://74.119.192.122/rino115sipsip http://91.219.236.240/rino115sipsip https://t.me/rino115sipsip |
rc4.plain |
|
rc4.plain |
|
Extracted
Family | vidar |
Version | 41.3 |
Botnet | 916 |
C2 |
https://mas.to/@oleg98 |
Attributes |
profile_id 916 |
Extracted
Language | ps1 |
Source |
|
URLs |
exe.dropper
https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe |
Extracted
Family | redline |
Botnet | 05.10 |
C2 |
80.92.205.116:59599 |
Extracted
Family | redline |
Botnet | media12 |
C2 |
91.121.67.60:2151 |
Extracted
Family | redline |
Botnet | build |
C2 |
77.232.40.127:8204 |
Extracted
Family | redline |
Botnet | media15 |
C2 |
91.121.67.60:2151 |
Extracted
Family | redline |
Botnet | media20 |
C2 |
91.121.67.60:2151 |
01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
b5b1415b3890d0108ac53acd595497b9
3MB
876eb8e34ecb3c1fea20e2c6b710346676ad2de2
01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
rl_trojan
Description
redline stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
f957e397e71010885b67f2afe37d8161
403KB
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Tags
Signatures
-
Gozi, Gozi IFSB
Description
Gozi ISFB is a well-known and widely distributed banking trojan.
Tags
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Description
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
xmrig
Description
XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Vidar Stealer
Tags
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
VMProtect packed file
Description
Detects executables packed with VMProtect commercial packer.
Tags
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
Related Tasks
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
dcd0d8a4e476db4602f3beae6a60b4c9
6MB
7906d0674d60685b06289db375eacf954e3185e3
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
Related Tasks
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
a121db3e0809289a5c41c44958ff6fa0
5MB
fd40bbe6eaeea4004046f65a8c647fabb35e1742
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
5fdb93aaa25f3b7e5a0a7d046e92df52
4MB
450ea998b3090ef6922200b87e49fd0c7f543420
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
cc2c8271c80d294b35d51b0721d59ba5
4MB
397ee3270770e940ee868d3d06d9feaed1599d79
1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
ecfd4c52c008a86ca387a00c530fcac2971080b5cabae4d91da425f3cb042ca2e363c5048c0ea7349ea446f4e3797c04448b84a863fbf9672dded861cc22f34c
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
Related Tasks
1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
2054a395da9f7a789bef703c5d2d60c1
5MB
f170cbc93d4fb3f4f92ccd88039272bf78bdfa89
1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
1439382b36a24d898fc769a742b05c2c9ad898a6e5750e0f7e813fd5d536834e44572061efb0c89af72c5a97c3502e9ee30c2c861154f0fbb4c4164e3880ffcf
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
xmrig
Description
XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
Related Tasks
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
2b01f663d5244764e8c2d164d3345fd6
7MB
2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
Related Tasks
2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
8e909af6cbb66bc255609e7d86360e7c
3MB
3b3fbbe358970adea4c69ea8a0251407697a09e0
2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
bd943f7562b3849695d5cec246366fc8fc811359edf890a41ed3169bd582e68b02c5831fca738b88a4d71c0e42dd3d202bc48cbc49bad24754465b410369826a
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
Related Tasks
243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
664aed619fcf50da08dc9d74f48aad57
4MB
995df8d6655cf256187df9bc9699bdd094c33616
243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
e04c606d6936962fe40913b1654410d8
3MB
37a7a94ea89f4697ad779a43c907deef4fd04f89
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
Description
suricata: ET MALWARE ServHelper CnC Inital Checkin
Tags
-
Grants admin privileges
Description
Uses net.exe to modify the user's privileges.
TTPs
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
TTPs
-
Sets DLL path for service in the registry
Tags
TTPs
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51
af6e236e2635e451927e7e99f159709a
8KB
ff5a827131c817a3bf95bb8b798b272101428618
30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51
4b4fd1668211f7193c0b41bb014015f9502b2b75cb0237500c4754e3925d16f719e5154b5fe3cc328d867cfd3cd480802d6150140a48ba5a6ca407100b4b08e6
Related Tasks
364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa
395991dd927c34de92ef13d9dad8664a
5MB
d7a6e083fc39aa0933865549dd553e83e7f486bf
364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa
f27eb6c9c63e1a40dc675b40b419481b95e27e4ceff042fe94a0ef8a77568844900d962485cfd7a1035203161693cba320375b5cc57cd12c51695a5252d78fb3
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
Related Tasks
3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00
b1e9f93ed954f84cc0144c40c75f178f
3MB
a11c3dc288597c4139fbcab21474dd69931b8668
3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00
6a3b1f513a5cdabdc6dae142fa9a61f683a2e514e0f4f1a5b20902eeb2d0918f636b600529ebf20020835d8b2b987d4123c94ee4755df1bb31274a5a4ee16da2
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375
2b0ce83a2a1065ef402b7a50f45892fd
4MB
d66a565247f9df9ac0bdb3725eee121e98d8914d
4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375
42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0
1f998b076047371b95763abf57a2eb5f
5MB
8ef5c726e13d658b2be905e5274cdb0ae5fd60ca
4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0
c9f3603af56effaee8a6027339d359c4954251d17d3168e638eba99fdfc25d1082de86d6bff601f985b4f8819b9808c4e2dcaa8b97947d9595edf791f986f716
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
Related Tasks
5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f
2f3136374745c23cc8b0d05329712308
4MB
06a587bb27cca266d53a593d445b7917faae8646
5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f
4efcdd92d0e4234d20b64dd1442931dcc4e8c0b0b5490b2edbdcc5ce209f39b74730f1c0ded07c3d229507b5ce666df76dab4a1dda6ed4d2147fc4da1b81de7b
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
Related Tasks
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
b968dfca2c74f26c008abffa22c74581
3MB
160dc676ce1696daa20f3c2d56cf41d84481d628
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
8146433494d3150b8a0c47783bfe004a8f6503eb71ffc87c508b76342a864f10f9913918a9e0828cfd83634d054868f129e06e4eb3c989c88b1e6c15e1262881
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
Description
suricata: ET MALWARE ServHelper CnC Inital Checkin
Tags
-
Grants admin privileges
Description
Uses net.exe to modify the user's privileges.
TTPs
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
TTPs
-
Sets DLL path for service in the registry
Tags
TTPs
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370
50693ca6be65ab9f3ab8dc4541821206
4MB
58f816723e3c1f58c6c90a1b4b19a97bf6765fb7
588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370
1f4935a35ae18890abaee552f2a2215bfcd6b7b9b337f48d4a8af9e3e69a90de61d4f5e09c939bd262e8dfc11503b7dd303934a866ace51969abc69a55bfe4cd
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
VMProtect packed file
Description
Detects executables packed with VMProtect commercial packer.
Tags
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Themida packer
Description
Detects Themida, an advanced Windows software protection system.
Tags
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
Related Tasks
609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b
fae157c539487f1e83d8548854409b2e
3MB
cbca5a5851e0a8e501b63fb075cc24becb8e956f
609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b
c13dbe3ca16660ac59cf56cec6b8e5fdd6a2221a05a8f252e4311445a8d883c29c4ab7a4e3ffaa3ff207e8508540c0153f1e9b36f29f64f53767a46bad79b10f
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111
bbdcb9ff39692c100a8b20f3c2b3ed3d
4MB
9bbf2e4dc2ac398596fe87cd09f9add86b27fb16
620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111
d2935c9ae3eafd5c5ccd89a0864eb6dc647d32a0b36f20b3eeb94540982fd9721aaf8f70a8f5a09e9016b9e01e46682a053f44583ecffa14fef34ff4948422a7
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c
15b7d616b28fb9df36d631a27dbf2e93
5MB
0019bad9cc179f7274b620da0a75728a46331500
623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c
e3a4c09bcc5d1c76ee8e3927fddaf08c3027a1e381067ac69e6688e2254158b9048899349b4fbec3e0cbbcc5a7a55ba8827e93be9641bc7f64bce17b56be7831
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
Checks for common network interception software
Description
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
Tags
TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
Related Tasks
642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc
2a63fa2ace27f76ad1a17c6f1bb01353
5MB
44fa3ece4acf17cfc51a36960f65b8bd81feea5e
642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc
711d462e56226e3170fd63cc87362a046ae398bc33258d3fc7cefdb1f973a266848b6b4510f60ffbfdfedfff980d2e346af0fa6e2b841624aae0f04ebb82a9e1
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
Related Tasks
6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34
c6fe254394e47430b9082139448aabe9
2MB
ec0993c200353cbc1ccaacd53643e4077bf75a78
6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34
131bdb23487fb5e8df908cc3e8d1609cd67290fd13fa3c5999ae8d706d4178aa8dd46f809b5ba92ad929b6b22dcb463a475e77bcbf07f82512697893ed513408
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd
7f1faa8a4ddb32af19428f462da72136
504KB
c7dea48daab84594fa0138542c274e8e9ce1fedf
78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd
f8a4c204224d200f326f7782e4b1024cd2745631727f948eb7904267113d062a0f34d1b53b6b972e0dbf4f37e4e08b5b4b8e6878f3677100513fbf515ef84057
Signatures
-
Executes dropped EXE
-
Loads dropped DLL
Related Tasks
809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
85fdfaf0375116479cb4d27c7bfd1263
6MB
64f6c4fafa6477128a4594435c6160a94c29a269
809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
91a50317af88a6f5c33f471f771c04cb56aa5228bceeb94336d10d7934c056fcd682c5f20ad693399ed02be142173c60f28a1884664ead07dbdec312674b4a5b
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
Related Tasks
82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f
d4074889823e1903a7cad0b5fec73ec2
5MB
b143adc240983728c546d24af9f15e987e181883
82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f
3af61a360e747ef3751e7108c3b54ead237da4b267af34c798986891adfceb7d0c41cde9ce8f73dd8666c0f39037a62ae9b3044c237777b5170c5abb24725ee5
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
a4d23ac3c7172b9aa02e35b6bf0fd21f
3MB
0326aab7deddfefc048c9a67ac9ce4ee14ea9003
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags
TTPs
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks BIOS information in registry
Description
BIOS information is often read in order to detect sandboxing environments.
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
9725f7f222530388cb2743504a6e0667
3MB
56d0eb91855e326b050c904147f4d9dafc596d70
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511
4263d12dd5f4d595e9efae16102d9b6d
4MB
cbf93a6ea05b8da4214fd847c8f209151a0b76bd
9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511
d548edc17b06d9f047f48bb3190d0840b15b510784965acfa38fbf2b69cf975bc3ea2370484d26eefe79a8e4609a337dede4a783216e8b8de5fb07bcc3204018
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e
eeab16ae25d712b91f2faf84b44a4ca8
4MB
fd182f829b29b41495c4cc66be7266062d3b71e0
9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e
0074546e453e49d55a9c4ad8ca32bf67bb8346e1b084e90e047a00a3814a7668328a6b188f9595f25c5e784a9c9d6001940dd61f1c666493a92347fb2e6e5292
Tags
Signatures
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
Vidar Stealer
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
bfc2137972c74edea0f9791b94486e9b
4MB
fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75
Tags
Signatures
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
Description
suricata: ET MALWARE GCleaner Downloader Activity M5
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags
-
ASPack v2.12-2.42
Description
Detects executables packed with ASPack v2.12-2.42
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.