Malware sandboxing report by Hatching Triage

Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Sharing

Copy URL

Twitter E-mail

General

Target

6040081023533056.zip
Size

210MB
Sample

211110-r84p8aedej
MD5

718122e481538fe9069b13d4ad3feccf
SHA1

bd021b079d05d335981651154afe30f158f3f036
SHA256

400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1
SHA512

5d24fa36f6caa029bb65c50dfea219ab66262bdd6b54a20eefabed7cb9c9c961c189e25304e43ceaf19a4eaa5c7c3618727d36fd3b9ac30b0d083227334dae12

Malware Config

Extracted

Family

smokeloader

Version

2020

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

http://nalirou70.top/

http://xacokuo80.top/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

http://bostoc.com/upload/

http://qianyoupj.cn/upload/

http://sleoppen.com/upload/

http://stempelbeton.at/upload/

rc4.i32

Extracted

Family

redline

tatreriash.xyz:80

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Extracted

Family

socelars

http://www.hhgenice.top/

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

http://www.efxety.top/

Extracted

Family

redline

Botnet

udptest

193.56.146.64:65441

Extracted

Family

vidar

Version

48.1

Botnet

937

Attributes

profile_id
937

Extracted

Family

redline

Botnet

1011h

charirelay.xyz:80

Extracted

Family

redline

Botnet

ANI

194.104.136.5:46013

45.142.215.47:27643

Extracted

Family

redline

Botnet

media14

91.121.67.60:2151

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes

url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty

rc4.plain

Extracted

Family

redline

Botnet

Chris

194.104.136.5:46013

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Extracted

Family

redline

Botnet

fucker2

135.181.129.119:4805

Extracted

Family

vidar

Version

41.4

Botnet

916

https://mas.to/@sslam

Attributes

profile_id
916

Extracted

Family

redline

Botnet

media17

91.121.67.60:2151

Extracted

Family

redline

Botnet

fuck1

135.181.129.119:4805

Extracted

Family

vidar

Version

41.5

Botnet

916

https://mas.to/@xeroxxx

Attributes

profile_id
916

Extracted

Family

redline

Botnet

media13

91.121.67.60:2151

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fcdc156d3872c18d25e3ee45499599b45e492a67

Attributes

url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip

rc4.plain

Extracted

Family

vidar

Version

41.3

Botnet

916

https://mas.to/@oleg98

Attributes

profile_id
916

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe

Extracted

Family

redline

Botnet

05.10

80.92.205.116:59599

Extracted

Family

redline

Botnet

media12

91.121.67.60:2151

Extracted

Family

redline

Botnet

build

77.232.40.127:8204

Extracted

Family

redline

Botnet

media15

91.121.67.60:2151

Extracted

Family

redline

Botnet

media20

91.121.67.60:2151

Targets

- Target
  
  01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
- Size
  
  3MB
- MD5
  
  b5b1415b3890d0108ac53acd595497b9
- SHA1
  
  876eb8e34ecb3c1fea20e2c6b710346676ad2de2
- SHA256
  
  01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
- SHA512
  
  fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0
Score

10^/10

redline smokeloader socelars she aspackv2 backdoor evasion infostealer spyware stealer suricata themida trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- rl_trojan
  redline stealer.
  stealer
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
- Size
  
  403KB
- MD5
  
  f957e397e71010885b67f2afe37d8161
- SHA1
  
  a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
- SHA256
  
  022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
- SHA512
  
  8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Score

10^/10

gozi_ifsb redline smokeloader socelars vidar xmrig 1011h 937 udptest backdoor banker discovery evasion infostealer miner spyware stealer suricata themida trojan vmprotect
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
- Size
  
  6MB
- MD5
  
  dcd0d8a4e476db4602f3beae6a60b4c9
- SHA1
  
  7906d0674d60685b06289db375eacf954e3185e3
- SHA256
  
  02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
- SHA512
  
  62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8
Score

10^/10

redline smokeloader socelars ani media14 she aspackv2 backdoor infostealer stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral3
- Target
  
  0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
- Size
  
  5MB
- MD5
  
  a121db3e0809289a5c41c44958ff6fa0
- SHA1
  
  fd40bbe6eaeea4004046f65a8c647fabb35e1742
- SHA256
  
  0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
- SHA512
  
  0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f
Score

10^/10

redline smokeloader socelars ani she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
- Size
  
  4MB
- MD5
  
  5fdb93aaa25f3b7e5a0a7d046e92df52
- SHA1
  
  450ea998b3090ef6922200b87e49fd0c7f543420
- SHA256
  
  0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
- SHA512
  
  85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6
Score

10^/10

raccoon redline smokeloader socelars 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 chris media18 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
- Size
  
  4MB
- MD5
  
  cc2c8271c80d294b35d51b0721d59ba5
- SHA1
  
  397ee3270770e940ee868d3d06d9feaed1599d79
- SHA256
  
  1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
- SHA512
  
  ecfd4c52c008a86ca387a00c530fcac2971080b5cabae4d91da425f3cb042ca2e363c5048c0ea7349ea446f4e3797c04448b84a863fbf9672dded861cc22f34c
Score

10^/10

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 fucker2 media18 aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
- Size
  
  5MB
- MD5
  
  2054a395da9f7a789bef703c5d2d60c1
- SHA1
  
  f170cbc93d4fb3f4f92ccd88039272bf78bdfa89
- SHA256
  
  1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
- SHA512
  
  1439382b36a24d898fc769a742b05c2c9ad898a6e5750e0f7e813fd5d536834e44572061efb0c89af72c5a97c3502e9ee30c2c861154f0fbb4c4164e3880ffcf
Score

10^/10

redline smokeloader socelars vidar xmrig 916 937 ani media17 aspackv2 backdoor discovery evasion infostealer miner persistence spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral7
- Target
  
  1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
- Size
  
  7MB
- MD5
  
  2b01f663d5244764e8c2d164d3345fd6
- SHA1
  
  2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3
- SHA256
  
  1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
- SHA512
  
  2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4
Score

10^/10

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 916 fuck1 media18 aspackv2 backdoor infostealer stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral8
- Target
  
  2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
- Size
  
  3MB
- MD5
  
  8e909af6cbb66bc255609e7d86360e7c
- SHA1
  
  3b3fbbe358970adea4c69ea8a0251407697a09e0
- SHA256
  
  2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
- SHA512
  
  bd943f7562b3849695d5cec246366fc8fc811359edf890a41ed3169bd582e68b02c5831fca738b88a4d71c0e42dd3d202bc48cbc49bad24754465b410369826a
Score

10^/10

redline smokeloader socelars vidar 937 media13 she aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
- Size
  
  4MB
- MD5
  
  664aed619fcf50da08dc9d74f48aad57
- SHA1
  
  995df8d6655cf256187df9bc9699bdd094c33616
- SHA256
  
  243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
- SHA512
  
  c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc
Score

10^/10

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 fucker2 media18 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
- Size
  
  3MB
- MD5
  
  e04c606d6936962fe40913b1654410d8
- SHA1
  
  37a7a94ea89f4697ad779a43c907deef4fd04f89
- SHA256
  
  2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
- SHA512
  
  a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2
Score

10^/10

raccoon redline smokeloader socelars ani fcdc156d3872c18d25e3ee45499599b45e492a67 she aspackv2 backdoor infostealer persistence spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51
- Size
  
  8KB
- MD5
  
  af6e236e2635e451927e7e99f159709a
- SHA1
  
  ff5a827131c817a3bf95bb8b798b272101428618
- SHA256
  
  30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51
- SHA512
  
  4b4fd1668211f7193c0b41bb014015f9502b2b75cb0237500c4754e3925d16f719e5154b5fe3cc328d867cfd3cd480802d6150140a48ba5a6ca407100b4b08e6
Score

1^/10
behavioral12
- Target
  
  364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa
- Size
  
  5MB
- MD5
  
  395991dd927c34de92ef13d9dad8664a
- SHA1
  
  d7a6e083fc39aa0933865549dd553e83e7f486bf
- SHA256
  
  364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa
- SHA512
  
  f27eb6c9c63e1a40dc675b40b419481b95e27e4ceff042fe94a0ef8a77568844900d962485cfd7a1035203161693cba320375b5cc57cd12c51695a5252d78fb3
Score

10^/10

redline smokeloader socelars vidar 916 937 ani she aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral13
- Target
  
  3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00
- Size
  
  3MB
- MD5
  
  b1e9f93ed954f84cc0144c40c75f178f
- SHA1
  
  a11c3dc288597c4139fbcab21474dd69931b8668
- SHA256
  
  3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00
- SHA512
  
  6a3b1f513a5cdabdc6dae142fa9a61f683a2e514e0f4f1a5b20902eeb2d0918f636b600529ebf20020835d8b2b987d4123c94ee4755df1bb31274a5a4ee16da2
Score

10^/10

redline smokeloader vidar ani media13 she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375
- Size
  
  4MB
- MD5
  
  2b0ce83a2a1065ef402b7a50f45892fd
- SHA1
  
  d66a565247f9df9ac0bdb3725eee121e98d8914d
- SHA256
  
  4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375
- SHA512
  
  42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca
Score

10^/10

redline smokeloader socelars 05.10 backdoor discovery evasion infostealer spyware stealer suricata themida trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0
- Size
  
  5MB
- MD5
  
  1f998b076047371b95763abf57a2eb5f
- SHA1
  
  8ef5c726e13d658b2be905e5274cdb0ae5fd60ca
- SHA256
  
  4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0
- SHA512
  
  c9f3603af56effaee8a6027339d359c4954251d17d3168e638eba99fdfc25d1082de86d6bff601f985b4f8819b9808c4e2dcaa8b97947d9595edf791f986f716
Score

10^/10

redline smokeloader socelars vidar 916 ani aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral16
- Target
  
  5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f
- Size
  
  4MB
- MD5
  
  2f3136374745c23cc8b0d05329712308
- SHA1
  
  06a587bb27cca266d53a593d445b7917faae8646
- SHA256
  
  5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f
- SHA512
  
  4efcdd92d0e4234d20b64dd1442931dcc4e8c0b0b5490b2edbdcc5ce209f39b74730f1c0ded07c3d229507b5ce666df76dab4a1dda6ed4d2147fc4da1b81de7b
Score

10^/10

redline smokeloader ani media12 she aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral17
- Target
  
  582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
- Size
  
  3MB
- MD5
  
  b968dfca2c74f26c008abffa22c74581
- SHA1
  
  160dc676ce1696daa20f3c2d56cf41d84481d628
- SHA256
  
  582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
- SHA512
  
  8146433494d3150b8a0c47783bfe004a8f6503eb71ffc87c508b76342a864f10f9913918a9e0828cfd83634d054868f129e06e4eb3c989c88b1e6c15e1262881
Score

10^/10

raccoon redline smokeloader socelars ani fcdc156d3872c18d25e3ee45499599b45e492a67 she aspackv2 backdoor infostealer persistence spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Sets DLL path for service in the registry
  persistence
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370
- Size
  
  4MB
- MD5
  
  50693ca6be65ab9f3ab8dc4541821206
- SHA1
  
  58f816723e3c1f58c6c90a1b4b19a97bf6765fb7
- SHA256
  
  588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370
- SHA512
  
  1f4935a35ae18890abaee552f2a2215bfcd6b7b9b337f48d4a8af9e3e69a90de61d4f5e09c939bd262e8dfc11503b7dd303934a866ace51969abc69a55bfe4cd
Score

10^/10

redline socelars vidar 05.10 build discovery evasion infostealer spyware stealer suricata themida trojan vmprotect
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b
- Size
  
  3MB
- MD5
  
  fae157c539487f1e83d8548854409b2e
- SHA1
  
  cbca5a5851e0a8e501b63fb075cc24becb8e956f
- SHA256
  
  609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b
- SHA512
  
  c13dbe3ca16660ac59cf56cec6b8e5fdd6a2221a05a8f252e4311445a8d883c29c4ab7a4e3ffaa3ff207e8508540c0153f1e9b36f29f64f53767a46bad79b10f
Score

10^/10

redline smokeloader socelars she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111
- Size
  
  4MB
- MD5
  
  bbdcb9ff39692c100a8b20f3c2b3ed3d
- SHA1
  
  9bbf2e4dc2ac398596fe87cd09f9add86b27fb16
- SHA256
  
  620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111
- SHA512
  
  d2935c9ae3eafd5c5ccd89a0864eb6dc647d32a0b36f20b3eeb94540982fd9721aaf8f70a8f5a09e9016b9e01e46682a053f44583ecffa14fef34ff4948422a7
Score

10^/10

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 937 fucker2 media18 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral21
- Target
  
  623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c
- Size
  
  5MB
- MD5
  
  15b7d616b28fb9df36d631a27dbf2e93
- SHA1
  
  0019bad9cc179f7274b620da0a75728a46331500
- SHA256
  
  623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c
- SHA512
  
  e3a4c09bcc5d1c76ee8e3927fddaf08c3027a1e381067ac69e6688e2254158b9048899349b4fbec3e0cbbcc5a7a55ba8827e93be9641bc7f64bce17b56be7831
Score

10^/10

redline smokeloader socelars vidar 937 ani she aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral22
- Target
  
  642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc
- Size
  
  5MB
- MD5
  
  2a63fa2ace27f76ad1a17c6f1bb01353
- SHA1
  
  44fa3ece4acf17cfc51a36960f65b8bd81feea5e
- SHA256
  
  642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc
- SHA512
  
  711d462e56226e3170fd63cc87362a046ae398bc33258d3fc7cefdb1f973a266848b6b4510f60ffbfdfedfff980d2e346af0fa6e2b841624aae0f04ebb82a9e1
Score

10^/10

redline smokeloader socelars vidar 916 ani she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral23
- Target
  
  6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34
- Size
  
  2MB
- MD5
  
  c6fe254394e47430b9082139448aabe9
- SHA1
  
  ec0993c200353cbc1ccaacd53643e4077bf75a78
- SHA256
  
  6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34
- SHA512
  
  131bdb23487fb5e8df908cc3e8d1609cd67290fd13fa3c5999ae8d706d4178aa8dd46f809b5ba92ad929b6b22dcb463a475e77bcbf07f82512697893ed513408
Score

10^/10

raccoon smokeloader fcdc156d3872c18d25e3ee45499599b45e492a67 backdoor stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral24
- Target
  
  78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd
- Size
  
  504KB
- MD5
  
  7f1faa8a4ddb32af19428f462da72136
- SHA1
  
  c7dea48daab84594fa0138542c274e8e9ce1fedf
- SHA256
  
  78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd
- SHA512
  
  f8a4c204224d200f326f7782e4b1024cd2745631727f948eb7904267113d062a0f34d1b53b6b972e0dbf4f37e4e08b5b4b8e6878f3677100513fbf515ef84057
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral25
- Target
  
  809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
- Size
  
  6MB
- MD5
  
  85fdfaf0375116479cb4d27c7bfd1263
- SHA1
  
  64f6c4fafa6477128a4594435c6160a94c29a269
- SHA256
  
  809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
- SHA512
  
  91a50317af88a6f5c33f471f771c04cb56aa5228bceeb94336d10d7934c056fcd682c5f20ad693399ed02be142173c60f28a1884664ead07dbdec312674b4a5b
Score

10^/10

redline smokeloader socelars ani media15 she aspackv2 backdoor evasion infostealer stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral26
- Target
  
  82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f
- Size
  
  5MB
- MD5
  
  d4074889823e1903a7cad0b5fec73ec2
- SHA1
  
  b143adc240983728c546d24af9f15e987e181883
- SHA256
  
  82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f
- SHA512
  
  3af61a360e747ef3751e7108c3b54ead237da4b267af34c798986891adfceb7d0c41cde9ce8f73dd8666c0f39037a62ae9b3044c237777b5170c5abb24725ee5
Score

10^/10

redline smokeloader socelars vidar 916 937 ani media17 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral27
- Target
  
  9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
- Size
  
  3MB
- MD5
  
  a4d23ac3c7172b9aa02e35b6bf0fd21f
- SHA1
  
  0326aab7deddfefc048c9a67ac9ce4ee14ea9003
- SHA256
  
  9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
- SHA512
  
  9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10
Score

10^/10

redline smokeloader socelars vidar ani she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral28
- Target
  
  9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
- Size
  
  3MB
- MD5
  
  9725f7f222530388cb2743504a6e0667
- SHA1
  
  56d0eb91855e326b050c904147f4d9dafc596d70
- SHA256
  
  9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
- SHA512
  
  ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663
Score

10^/10

redline smokeloader vidar chris fucker2 media20 aspackv2 backdoor infostealer spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral29
- Target
  
  9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511
- Size
  
  4MB
- MD5
  
  4263d12dd5f4d595e9efae16102d9b6d
- SHA1
  
  cbf93a6ea05b8da4214fd847c8f209151a0b76bd
- SHA256
  
  9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511
- SHA512
  
  d548edc17b06d9f047f48bb3190d0840b15b510784965acfa38fbf2b69cf975bc3ea2370484d26eefe79a8e4609a337dede4a783216e8b8de5fb07bcc3204018
Score

10^/10

smokeloader backdoor evasion spyware stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral30
- Target
  
  9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e
- Size
  
  4MB
- MD5
  
  eeab16ae25d712b91f2faf84b44a4ca8
- SHA1
  
  fd182f829b29b41495c4cc66be7266062d3b71e0
- SHA256
  
  9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e
- SHA512
  
  0074546e453e49d55a9c4ad8ca32bf67bb8346e1b084e90e047a00a3814a7668328a6b188f9595f25c5e784a9c9d6001940dd61f1c666493a92347fb2e6e5292
Score

10^/10

redline smokeloader socelars vidar 916 ani fuck1 media17 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral31
- Target
  
  a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
- Size
  
  4MB
- MD5
  
  bfc2137972c74edea0f9791b94486e9b
- SHA1
  
  fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3
- SHA256
  
  a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
- SHA512
  
  9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75
Score

10^/10

raccoon redline smokeloader socelars 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 chris media18 aspackv2 backdoor evasion infostealer stealer suricata trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Account Manipulation

T1098

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

BITS Jobs

T1197

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

107

T1082

Peripheral Device Discovery

T1120

Virtualization/Sandbox Evasion

T1497

Software Discovery

T1518

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

rl_trojan

suricata: ET MALWARE ClipBanker Variant Activity (POST)

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Gozi, Gozi IFSB

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Vidar

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall