Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

General

  • Target

    6040081023533056.zip

  • Size

    210.5MB

  • Sample

    211110-r84p8aedej

  • MD5

    718122e481538fe9069b13d4ad3feccf

  • SHA1

    bd021b079d05d335981651154afe30f158f3f036

  • SHA256

    400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

  • SHA512

    5d24fa36f6caa029bb65c50dfea219ab66262bdd6b54a20eefabed7cb9c9c961c189e25304e43ceaf19a4eaa5c7c3618727d36fd3b9ac30b0d083227334dae12

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

http://nalirou70.top/

http://xacokuo80.top/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

http://bostoc.com/upload/

http://qianyoupj.cn/upload/

http://sleoppen.com/upload/

http://stempelbeton.at/upload/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

C2

tatreriash.xyz:80

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Extracted

Family

socelars

C2

http://www.hhgenice.top/

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

http://www.efxety.top/

Extracted

Family

redline

Botnet

udptest

C2

193.56.146.64:65441

Extracted

Family

vidar

Version

48.1

Botnet

937

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

1011h

C2

charirelay.xyz:80

Extracted

Family

redline

Botnet

ANI

C2

194.104.136.5:46013

45.142.215.47:27643

Extracted

Family

redline

Botnet

media14

C2

91.121.67.60:2151

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes
  • url4cnc

    http://telegatt.top/oh12manymarty

    http://telegka.top/oh12manymarty

    http://telegin.top/oh12manymarty

    https://t.me/oh12manymarty

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

Chris

C2

194.104.136.5:46013

Extracted

Family

redline

Botnet

media18

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

fucker2

C2

135.181.129.119:4805

Extracted

Family

vidar

Version

41.4

Botnet

916

C2

https://mas.to/@sslam

Attributes
  • profile_id

    916

Extracted

Family

redline

Botnet

media17

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

fuck1

C2

135.181.129.119:4805

Extracted

Family

vidar

Version

41.5

Botnet

916

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    916

Extracted

Family

redline

Botnet

media13

C2

91.121.67.60:2151

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fcdc156d3872c18d25e3ee45499599b45e492a67

Attributes
  • url4cnc

    http://178.23.190.57/rino115sipsip

    http://91.219.236.162/rino115sipsip

    http://185.163.47.176/rino115sipsip

    http://193.38.54.238/rino115sipsip

    http://74.119.192.122/rino115sipsip

    http://91.219.236.240/rino115sipsip

    https://t.me/rino115sipsip

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.3

Botnet

916

C2

https://mas.to/@oleg98

Attributes
  • profile_id

    916

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe

Extracted

Family

redline

Botnet

05.10

C2

80.92.205.116:59599

Extracted

Family

redline

Botnet

media12

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

build

C2

77.232.40.127:8204

Extracted

Family

redline

Botnet

media15

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

media20

C2

91.121.67.60:2151

Targets

    • Target

      01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

    • Size

      3.3MB

    • MD5

      b5b1415b3890d0108ac53acd595497b9

    • SHA1

      876eb8e34ecb3c1fea20e2c6b710346676ad2de2

    • SHA256

      01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

    • SHA512

      fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • rl_trojan

      redline stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • Size

      403KB

    • MD5

      f957e397e71010885b67f2afe37d8161

    • SHA1

      a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

    • SHA256

      022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

    • SHA512

      8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

      suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135

    • Size

      6.8MB

    • MD5

      dcd0d8a4e476db4602f3beae6a60b4c9

    • SHA1

      7906d0674d60685b06289db375eacf954e3185e3

    • SHA256

      02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135

    • SHA512

      62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd

    • Size

      5.6MB

    • MD5

      a121db3e0809289a5c41c44958ff6fa0

    • SHA1

      fd40bbe6eaeea4004046f65a8c647fabb35e1742

    • SHA256

      0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd

    • SHA512

      0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc

    • Size

      4.4MB

    • MD5

      5fdb93aaa25f3b7e5a0a7d046e92df52

    • SHA1

      450ea998b3090ef6922200b87e49fd0c7f543420

    • SHA256

      0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc

    • SHA512

      85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c

    • Size

      4.6MB

    • MD5

      cc2c8271c80d294b35d51b0721d59ba5

    • SHA1

      397ee3270770e940ee868d3d06d9feaed1599d79

    • SHA256

      1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c

    • SHA512

      ecfd4c52c008a86ca387a00c530fcac2971080b5cabae4d91da425f3cb042ca2e363c5048c0ea7349ea446f4e3797c04448b84a863fbf9672dded861cc22f34c

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433

    • Size

      5.9MB

    • MD5

      2054a395da9f7a789bef703c5d2d60c1

    • SHA1

      f170cbc93d4fb3f4f92ccd88039272bf78bdfa89

    • SHA256

      1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433

    • SHA512

      1439382b36a24d898fc769a742b05c2c9ad898a6e5750e0f7e813fd5d536834e44572061efb0c89af72c5a97c3502e9ee30c2c861154f0fbb4c4164e3880ffcf

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d

    • Size

      7.1MB

    • MD5

      2b01f663d5244764e8c2d164d3345fd6

    • SHA1

      2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3

    • SHA256

      1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d

    • SHA512

      2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859

    • Size

      3.4MB

    • MD5

      8e909af6cbb66bc255609e7d86360e7c

    • SHA1

      3b3fbbe358970adea4c69ea8a0251407697a09e0

    • SHA256

      2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859

    • SHA512

      bd943f7562b3849695d5cec246366fc8fc811359edf890a41ed3169bd582e68b02c5831fca738b88a4d71c0e42dd3d202bc48cbc49bad24754465b410369826a

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493

    • Size

      4.6MB

    • MD5

      664aed619fcf50da08dc9d74f48aad57

    • SHA1

      995df8d6655cf256187df9bc9699bdd094c33616

    • SHA256

      243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493

    • SHA512

      c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a

    • Size

      3.9MB

    • MD5

      e04c606d6936962fe40913b1654410d8

    • SHA1

      37a7a94ea89f4697ad779a43c907deef4fd04f89

    • SHA256

      2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a

    • SHA512

      a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE ServHelper CnC Inital Checkin

      suricata: ET MALWARE ServHelper CnC Inital Checkin

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies RDP port number used by Windows

    • Sets DLL path for service in the registry

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51

    • Size

      8KB

    • MD5

      af6e236e2635e451927e7e99f159709a

    • SHA1

      ff5a827131c817a3bf95bb8b798b272101428618

    • SHA256

      30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51

    • SHA512

      4b4fd1668211f7193c0b41bb014015f9502b2b75cb0237500c4754e3925d16f719e5154b5fe3cc328d867cfd3cd480802d6150140a48ba5a6ca407100b4b08e6

    Score
    1/10
    • Target

      364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa

    • Size

      5.6MB

    • MD5

      395991dd927c34de92ef13d9dad8664a

    • SHA1

      d7a6e083fc39aa0933865549dd553e83e7f486bf

    • SHA256

      364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa

    • SHA512

      f27eb6c9c63e1a40dc675b40b419481b95e27e4ceff042fe94a0ef8a77568844900d962485cfd7a1035203161693cba320375b5cc57cd12c51695a5252d78fb3

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00

    • Size

      3.4MB

    • MD5

      b1e9f93ed954f84cc0144c40c75f178f

    • SHA1

      a11c3dc288597c4139fbcab21474dd69931b8668

    • SHA256

      3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00

    • SHA512

      6a3b1f513a5cdabdc6dae142fa9a61f683a2e514e0f4f1a5b20902eeb2d0918f636b600529ebf20020835d8b2b987d4123c94ee4755df1bb31274a5a4ee16da2

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

    • Size

      5.0MB

    • MD5

      2b0ce83a2a1065ef402b7a50f45892fd

    • SHA1

      d66a565247f9df9ac0bdb3725eee121e98d8914d

    • SHA256

      4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

    • SHA512

      42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0

    • Size

      5.9MB

    • MD5

      1f998b076047371b95763abf57a2eb5f

    • SHA1

      8ef5c726e13d658b2be905e5274cdb0ae5fd60ca

    • SHA256

      4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0

    • SHA512

      c9f3603af56effaee8a6027339d359c4954251d17d3168e638eba99fdfc25d1082de86d6bff601f985b4f8819b9808c4e2dcaa8b97947d9595edf791f986f716

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f

    • Size

      4.7MB

    • MD5

      2f3136374745c23cc8b0d05329712308

    • SHA1

      06a587bb27cca266d53a593d445b7917faae8646

    • SHA256

      5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f

    • SHA512

      4efcdd92d0e4234d20b64dd1442931dcc4e8c0b0b5490b2edbdcc5ce209f39b74730f1c0ded07c3d229507b5ce666df76dab4a1dda6ed4d2147fc4da1b81de7b

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b

    • Size

      3.8MB

    • MD5

      b968dfca2c74f26c008abffa22c74581

    • SHA1

      160dc676ce1696daa20f3c2d56cf41d84481d628

    • SHA256

      582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b

    • SHA512

      8146433494d3150b8a0c47783bfe004a8f6503eb71ffc87c508b76342a864f10f9913918a9e0828cfd83634d054868f129e06e4eb3c989c88b1e6c15e1262881

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE ServHelper CnC Inital Checkin

      suricata: ET MALWARE ServHelper CnC Inital Checkin

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies RDP port number used by Windows

    • Sets DLL path for service in the registry

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370

    • Size

      4.6MB

    • MD5

      50693ca6be65ab9f3ab8dc4541821206

    • SHA1

      58f816723e3c1f58c6c90a1b4b19a97bf6765fb7

    • SHA256

      588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370

    • SHA512

      1f4935a35ae18890abaee552f2a2215bfcd6b7b9b337f48d4a8af9e3e69a90de61d4f5e09c939bd262e8dfc11503b7dd303934a866ace51969abc69a55bfe4cd

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b

    • Size

      3.9MB

    • MD5

      fae157c539487f1e83d8548854409b2e

    • SHA1

      cbca5a5851e0a8e501b63fb075cc24becb8e956f

    • SHA256

      609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b

    • SHA512

      c13dbe3ca16660ac59cf56cec6b8e5fdd6a2221a05a8f252e4311445a8d883c29c4ab7a4e3ffaa3ff207e8508540c0153f1e9b36f29f64f53767a46bad79b10f

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111

    • Size

      4.6MB

    • MD5

      bbdcb9ff39692c100a8b20f3c2b3ed3d

    • SHA1

      9bbf2e4dc2ac398596fe87cd09f9add86b27fb16

    • SHA256

      620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111

    • SHA512

      d2935c9ae3eafd5c5ccd89a0864eb6dc647d32a0b36f20b3eeb94540982fd9721aaf8f70a8f5a09e9016b9e01e46682a053f44583ecffa14fef34ff4948422a7

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c

    • Size

      5.4MB

    • MD5

      15b7d616b28fb9df36d631a27dbf2e93

    • SHA1

      0019bad9cc179f7274b620da0a75728a46331500

    • SHA256

      623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c

    • SHA512

      e3a4c09bcc5d1c76ee8e3927fddaf08c3027a1e381067ac69e6688e2254158b9048899349b4fbec3e0cbbcc5a7a55ba8827e93be9641bc7f64bce17b56be7831

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc

    • Size

      5.8MB

    • MD5

      2a63fa2ace27f76ad1a17c6f1bb01353

    • SHA1

      44fa3ece4acf17cfc51a36960f65b8bd81feea5e

    • SHA256

      642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc

    • SHA512

      711d462e56226e3170fd63cc87362a046ae398bc33258d3fc7cefdb1f973a266848b6b4510f60ffbfdfedfff980d2e346af0fa6e2b841624aae0f04ebb82a9e1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34

    • Size

      2.7MB

    • MD5

      c6fe254394e47430b9082139448aabe9

    • SHA1

      ec0993c200353cbc1ccaacd53643e4077bf75a78

    • SHA256

      6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34

    • SHA512

      131bdb23487fb5e8df908cc3e8d1609cd67290fd13fa3c5999ae8d706d4178aa8dd46f809b5ba92ad929b6b22dcb463a475e77bcbf07f82512697893ed513408

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd

    • Size

      504KB

    • MD5

      7f1faa8a4ddb32af19428f462da72136

    • SHA1

      c7dea48daab84594fa0138542c274e8e9ce1fedf

    • SHA256

      78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd

    • SHA512

      f8a4c204224d200f326f7782e4b1024cd2745631727f948eb7904267113d062a0f34d1b53b6b972e0dbf4f37e4e08b5b4b8e6878f3677100513fbf515ef84057

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741

    • Size

      6.8MB

    • MD5

      85fdfaf0375116479cb4d27c7bfd1263

    • SHA1

      64f6c4fafa6477128a4594435c6160a94c29a269

    • SHA256

      809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741

    • SHA512

      91a50317af88a6f5c33f471f771c04cb56aa5228bceeb94336d10d7934c056fcd682c5f20ad693399ed02be142173c60f28a1884664ead07dbdec312674b4a5b

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f

    • Size

      6.0MB

    • MD5

      d4074889823e1903a7cad0b5fec73ec2

    • SHA1

      b143adc240983728c546d24af9f15e987e181883

    • SHA256

      82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f

    • SHA512

      3af61a360e747ef3751e7108c3b54ead237da4b267af34c798986891adfceb7d0c41cde9ce8f73dd8666c0f39037a62ae9b3044c237777b5170c5abb24725ee5

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

    • Size

      3.9MB

    • MD5

      a4d23ac3c7172b9aa02e35b6bf0fd21f

    • SHA1

      0326aab7deddfefc048c9a67ac9ce4ee14ea9003

    • SHA256

      9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

    • SHA512

      9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • Size

      3.6MB

    • MD5

      9725f7f222530388cb2743504a6e0667

    • SHA1

      56d0eb91855e326b050c904147f4d9dafc596d70

    • SHA256

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • SHA512

      ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

      suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511

    • Size

      4.0MB

    • MD5

      4263d12dd5f4d595e9efae16102d9b6d

    • SHA1

      cbf93a6ea05b8da4214fd847c8f209151a0b76bd

    • SHA256

      9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511

    • SHA512

      d548edc17b06d9f047f48bb3190d0840b15b510784965acfa38fbf2b69cf975bc3ea2370484d26eefe79a8e4609a337dede4a783216e8b8de5fb07bcc3204018

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e

    • Size

      4.5MB

    • MD5

      eeab16ae25d712b91f2faf84b44a4ca8

    • SHA1

      fd182f829b29b41495c4cc66be7266062d3b71e0

    • SHA256

      9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e

    • SHA512

      0074546e453e49d55a9c4ad8ca32bf67bb8346e1b084e90e047a00a3814a7668328a6b188f9595f25c5e784a9c9d6001940dd61f1c666493a92347fb2e6e5292

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

    • Size

      4.4MB

    • MD5

      bfc2137972c74edea0f9791b94486e9b

    • SHA1

      fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3

    • SHA256

      a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

    • SHA512

      9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

24
T1053

Persistence

Modify Existing Service

34
T1031

Scheduled Task

24
T1053

Registry Run Keys / Startup Folder

7
T1060

Account Manipulation

2
T1098

BITS Jobs

1
T1197

Privilege Escalation

Scheduled Task

24
T1053

Defense Evasion

Modify Registry

39
T1112

Disabling Security Tools

16
T1089

Virtualization/Sandbox Evasion

9
T1497

Install Root Certificate

12
T1130

BITS Jobs

1
T1197

Credential Access

Credentials in Files

35
T1081

Discovery

Query Registry

84
T1012

System Information Discovery

107
T1082

Peripheral Device Discovery

26
T1120

Virtualization/Sandbox Evasion

9
T1497

Software Discovery

1
T1518

Lateral Movement

Remote Desktop Protocol

2
T1076

Collection

Data from Local System

35
T1005

Command and Control

Web Service

30
T1102

Tasks

static1

Score
N/A

behavioral1

redlinesmokeloadersocelarssheaspackv2backdoorevasioninfostealerspywarestealersuricatathemidatrojan
Score
10/10

behavioral2

gozi_ifsbredlinesmokeloadersocelarsvidarxmrig1011h937udptestbackdoorbankerdiscoveryevasioninfostealerminerspywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral3

redlinesmokeloadersocelarsanimedia14sheaspackv2backdoorinfostealerstealersuricatatrojan
Score
10/10

behavioral4

redlinesmokeloadersocelarsanisheaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral5

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5chrismedia18aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral6

raccoonredlinesmokeloadersocelarsvidar2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2media18aspackv2backdoordiscoveryevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral7

redlinesmokeloadersocelarsvidarxmrig916937animedia17aspackv2backdoordiscoveryevasioninfostealerminerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral8

raccoonredlinesmokeloadersocelarsvidar2f2ad1a1aa093c5a9d17040c8efd5650a99640b5916fuck1media18aspackv2backdoorinfostealerstealersuricatatrojan
Score
10/10

behavioral9

redlinesmokeloadersocelarsvidar937media13sheaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral10

raccoonredlinesmokeloadersocelarsvidar2f2ad1a1aa093c5a9d17040c8efd5650a99640b5fucker2media18aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral11

raccoonredlinesmokeloadersocelarsanifcdc156d3872c18d25e3ee45499599b45e492a67sheaspackv2backdoorinfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral12

Score
1/10

behavioral13

redlinesmokeloadersocelarsvidar916937anisheaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral14

redlinesmokeloadervidaranimedia13sheaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral15

redlinesmokeloadersocelars05.10backdoordiscoveryevasioninfostealerspywarestealersuricatathemidatrojan
Score
10/10

behavioral16

redlinesmokeloadersocelarsvidar916aniaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral17

redlinesmokeloaderanimedia12sheaspackv2backdoorevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral18

raccoonredlinesmokeloadersocelarsanifcdc156d3872c18d25e3ee45499599b45e492a67sheaspackv2backdoorinfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral19

redlinesocelarsvidar05.10builddiscoveryevasioninfostealerspywarestealersuricatathemidatrojanvmprotect
Score
10/10

behavioral20

redlinesmokeloadersocelarssheaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral21

raccoonredlinesmokeloadersocelarsvidar2f2ad1a1aa093c5a9d17040c8efd5650a99640b5937fucker2media18aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral22

redlinesmokeloadersocelarsvidar937anisheaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
Score
10/10

behavioral23

redlinesmokeloadersocelarsvidar916anisheaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral24

raccoonsmokeloaderfcdc156d3872c18d25e3ee45499599b45e492a67backdoorstealersuricatatrojan
Score
10/10

behavioral25

Score
8/10

behavioral26

redlinesmokeloadersocelarsanimedia15sheaspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10

behavioral27

redlinesmokeloadersocelarsvidar916937animedia17aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral28

redlinesmokeloadersocelarsvidaranisheaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral29

redlinesmokeloadervidarchrisfucker2media20aspackv2backdoorinfostealerspywarestealersuricatatrojan
Score
10/10

behavioral30

smokeloaderbackdoorevasionspywarestealersuricatatrojan
Score
10/10

behavioral31

redlinesmokeloadersocelarsvidar916anifuck1media17aspackv2backdoorevasioninfostealerspywarestealersuricatatrojan
Score
10/10

behavioral32

raccoonredlinesmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5chrismedia18aspackv2backdoorevasioninfostealerstealersuricatatrojan
Score
10/10