6040081023533056.zip

Target

Size

210MB

Sample

211110-r84p8aedej

Score

10 ^/10

MD5

718122e481538fe9069b13d4ad3feccf

SHA1

bd021b079d05d335981651154afe30f158f3f036

SHA256

400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

SHA512

5d24fa36f6caa029bb65c50dfea219ab66262bdd6b54a20eefabed7cb9c9c961c189e25304e43ceaf19a4eaa5c7c3618727d36fd3b9ac30b0d083227334dae12

Extracted

Family	smokeloader
Version	2020
C2	http://gmpeople.com/upload/ http://mile48.com/upload/ http://lecanardstsornin.com/upload/ http://m3600.com/upload/ http://camasirx.com/upload/ http://nalirou70.top/ http://xacokuo80.top/ http://directorycart.com/upload/ http://tierzahnarzt.at/upload/ http://streetofcards.com/upload/ http://ycdfzd.com/upload/ http://successcoachceo.com/upload/ http://uhvu.cn/upload/ http://japanarticle.com/upload/ http://bostoc.com/upload/ http://qianyoupj.cn/upload/ http://sleoppen.com/upload/ http://stempelbeton.at/upload/ http://gmpeople.com/upload/ http://mile48.com/upload/ http://lecanardstsornin.com/upload/ http://m3600.com/upload/ http://camasirx.com/upload/ http://nalirou70.top/ http://xacokuo80.top/ http://directorycart.com/upload/ http://tierzahnarzt.at/upload/ http://streetofcards.com/upload/ http://ycdfzd.com/upload/ http://successcoachceo.com/upload/ http://uhvu.cn/upload/ http://japanarticle.com/upload/ http://bostoc.com/upload/ http://qianyoupj.cn/upload/ http://sleoppen.com/upload/ http://stempelbeton.at/upload/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family	redline
C2	tatreriash.xyz:80 tatreriash.xyz:80

Extracted

Family	redline
Botnet	she
C2	135.181.129.119:4805 135.181.129.119:4805

Extracted

Family	socelars
C2	http://www.hhgenice.top/ http://www.iyiqian.com/ http://www.hbgents.top/ http://www.rsnzhy.com/ http://www.znsjis.top/ http://www.efxety.top/ http://www.hhgenice.top/ http://www.iyiqian.com/ http://www.hbgents.top/ http://www.rsnzhy.com/ http://www.znsjis.top/ http://www.efxety.top/

Extracted

Family	redline
Botnet	udptest
C2	193.56.146.64:65441 193.56.146.64:65441

Extracted

Family	vidar
Version	48.1
Botnet	937
Attributes	profile_id 937

Extracted

Family	redline
Botnet	1011h
C2	charirelay.xyz:80 charirelay.xyz:80

Extracted

Family	redline
Botnet	ANI
C2	194.104.136.5:46013 45.142.215.47:27643 194.104.136.5:46013 45.142.215.47:27643

Extracted

Family	redline
Botnet	media14
C2	91.121.67.60:2151 91.121.67.60:2151

Extracted

Family	raccoon
Botnet	2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
Attributes	url4cnc http://telegatt.top/oh12manymarty http://telegka.top/oh12manymarty http://telegin.top/oh12manymarty https://t.me/oh12manymarty
rc4.plain
rc4.plain

Extracted

Family	redline
Botnet	Chris
C2	194.104.136.5:46013 194.104.136.5:46013

Extracted

Family	redline
Botnet	media18
C2	91.121.67.60:2151 91.121.67.60:2151

Extracted

Family	redline
Botnet	fucker2
C2	135.181.129.119:4805 135.181.129.119:4805

Extracted

Family	vidar
Version	41.4
Botnet	916
C2	https://mas.to/@sslam https://mas.to/@sslam
Attributes	profile_id 916

Extracted

Family	redline
Botnet	media17
C2	91.121.67.60:2151 91.121.67.60:2151

Extracted

Family	redline
Botnet	fuck1
C2	135.181.129.119:4805 135.181.129.119:4805

Extracted

Family	vidar
Version	41.5
Botnet	916
C2	https://mas.to/@xeroxxx https://mas.to/@xeroxxx
Attributes	profile_id 916

Extracted

Family	redline
Botnet	media13
C2	91.121.67.60:2151 91.121.67.60:2151

Extracted

Language	ps1
Deobfuscated
URLs	https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1 ps1.dropper https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family	raccoon
Version	1.8.3-hotfix
Botnet	fcdc156d3872c18d25e3ee45499599b45e492a67
Attributes	url4cnc http://178.23.190.57/rino115sipsip http://91.219.236.162/rino115sipsip http://185.163.47.176/rino115sipsip http://193.38.54.238/rino115sipsip http://74.119.192.122/rino115sipsip http://91.219.236.240/rino115sipsip https://t.me/rino115sipsip
rc4.plain
rc4.plain

Extracted

Family	vidar
Version	41.3
Botnet	916
C2	https://mas.to/@oleg98 https://mas.to/@oleg98
Attributes	profile_id 916

Extracted

Language	ps1
Source
URLs	https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe exe.dropper https://cdn.discordapp.com/attachments/523238636561629190/894846072097218580/ghielufuzymmuibugkhmviaajvfwio.exe

Extracted

Family	redline
Botnet	05.10
C2	80.92.205.116:59599 80.92.205.116:59599

Extracted

Family	redline
Botnet	media12
C2	91.121.67.60:2151 91.121.67.60:2151

Extracted

Family	redline
Botnet	build
C2	77.232.40.127:8204 77.232.40.127:8204

Extracted

Family	redline
Botnet	media15
C2	91.121.67.60:2151 91.121.67.60:2151

Extracted

Family	redline
Botnet	media20
C2	91.121.67.60:2151 91.121.67.60:2151

Target

01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

MD5

b5b1415b3890d0108ac53acd595497b9

Filesize

3MB

Score

10^/10

SHA1

876eb8e34ecb3c1fea20e2c6b710346676ad2de2

SHA256

01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68

SHA512

fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0

Tags

redline smokeloader socelars she aspackv2 backdoor evasion infostealer spyware stealer suricata themida trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
rl_trojan
Description

redline stealer.
Tags

stealer
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Themida packer
Description

Detects Themida, an advanced Windows software protection system.
Tags

themida
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral1

Target

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

MD5

f957e397e71010885b67f2afe37d8161

Filesize

403KB

Score

10^/10

SHA1

a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

SHA256

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

SHA512

8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

Tags

gozi_ifsb redline smokeloader socelars vidar xmrig 1011h 937 udptest backdoor banker discovery evasion infostealer miner spyware stealer suricata themida trojan vmprotect

Signatures

Gozi, Gozi IFSB
Description

Gozi ISFB is a well-known and widely distributed banking trojan.
Tags

banker trojan gozi_ifsb
Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Description

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
xmrig
Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags

miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Vidar Stealer
Tags

stealer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
VMProtect packed file
Description

Detects executables packed with VMProtect commercial packer.
Tags

vmprotect
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Themida packer
Description

Detects Themida, an advanced Windows software protection system.
Tags

themida
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral2

Target

02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135

MD5

dcd0d8a4e476db4602f3beae6a60b4c9

Filesize

6MB

Score

10^/10

SHA1

7906d0674d60685b06289db375eacf954e3185e3

SHA256

02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135

SHA512

62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8

Tags

redline smokeloader socelars ani media14 she aspackv2 backdoor infostealer stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.

Related Tasks

behavioral3

Target

0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd

MD5

a121db3e0809289a5c41c44958ff6fa0

Filesize

5MB

Score

10^/10

SHA1

fd40bbe6eaeea4004046f65a8c647fabb35e1742

SHA256

0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd

SHA512

0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f

Tags

redline smokeloader socelars ani she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral4

Target

0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc

MD5

5fdb93aaa25f3b7e5a0a7d046e92df52

Filesize

4MB

Score

10^/10

SHA1

450ea998b3090ef6922200b87e49fd0c7f543420

SHA256

0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc

SHA512

85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6

Tags

raccoon redline smokeloader socelars 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 chris media18 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral5

Target

1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c

MD5

cc2c8271c80d294b35d51b0721d59ba5

Filesize

4MB

Score

10^/10

SHA1

397ee3270770e940ee868d3d06d9feaed1599d79

SHA256

1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c

SHA512

ecfd4c52c008a86ca387a00c530fcac2971080b5cabae4d91da425f3cb042ca2e363c5048c0ea7349ea446f4e3797c04448b84a863fbf9672dded861cc22f34c

Tags

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 fucker2 media18 aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses 2FA software files, possible credential harvesting
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral6

Target

1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433

MD5

2054a395da9f7a789bef703c5d2d60c1

Filesize

5MB

Score

10^/10

SHA1

f170cbc93d4fb3f4f92ccd88039272bf78bdfa89

SHA256

1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433

SHA512

1439382b36a24d898fc769a742b05c2c9ad898a6e5750e0f7e813fd5d536834e44572061efb0c89af72c5a97c3502e9ee30c2c861154f0fbb4c4164e3880ffcf

Tags

redline smokeloader socelars vidar xmrig 916 937 ani media17 aspackv2 backdoor discovery evasion infostealer miner persistence spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
xmrig
Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags

miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses 2FA software files, possible credential harvesting
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral7

Target

1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d

MD5

2b01f663d5244764e8c2d164d3345fd6

Filesize

7MB

Score

10^/10

SHA1

2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3

SHA256

1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d

SHA512

2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4

Tags

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 916 fuck1 media18 aspackv2 backdoor infostealer stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.

Related Tasks

behavioral8

Target

2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859

MD5

8e909af6cbb66bc255609e7d86360e7c

Filesize

3MB

Score

10^/10

SHA1

3b3fbbe358970adea4c69ea8a0251407697a09e0

SHA256

2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859

SHA512

bd943f7562b3849695d5cec246366fc8fc811359edf890a41ed3169bd582e68b02c5831fca738b88a4d71c0e42dd3d202bc48cbc49bad24754465b410369826a

Tags

redline smokeloader socelars vidar 937 media13 she aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses 2FA software files, possible credential harvesting
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral9

Target

243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493

MD5

664aed619fcf50da08dc9d74f48aad57

Filesize

4MB

Score

10^/10

SHA1

995df8d6655cf256187df9bc9699bdd094c33616

SHA256

243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493

SHA512

c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc

Tags

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 fucker2 media18 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral10

Target

2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a

MD5

e04c606d6936962fe40913b1654410d8

Filesize

3MB

Score

10^/10

SHA1

37a7a94ea89f4697ad779a43c907deef4fd04f89

SHA256

2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a

SHA512

a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2

Tags

raccoon redline smokeloader socelars ani fcdc156d3872c18d25e3ee45499599b45e492a67 she aspackv2 backdoor infostealer persistence spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE ServHelper CnC Inital Checkin
Description

suricata: ET MALWARE ServHelper CnC Inital Checkin
Tags

suricata
Grants admin privileges
Description

Uses net.exe to modify the user's privileges.
TTPs

Account Manipulation
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
TTPs

Remote Desktop Protocol
Sets DLL path for service in the registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral11

Target

30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51

MD5

af6e236e2635e451927e7e99f159709a

Filesize

8KB

Score

1^/10

SHA1

ff5a827131c817a3bf95bb8b798b272101428618

SHA256

30e6815ae008a8638c5b30460098904121e0b98c7e87784d950f1dc55aafec51

SHA512

4b4fd1668211f7193c0b41bb014015f9502b2b75cb0237500c4754e3925d16f719e5154b5fe3cc328d867cfd3cd480802d6150140a48ba5a6ca407100b4b08e6

Related Tasks

behavioral12

Target

364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa

MD5

395991dd927c34de92ef13d9dad8664a

Filesize

5MB

Score

10^/10

SHA1

d7a6e083fc39aa0933865549dd553e83e7f486bf

SHA256

364d3b0e9456ecff4518f48695df817af1fdcd76c1f9644a35cfe5ec621e5ffa

SHA512

f27eb6c9c63e1a40dc675b40b419481b95e27e4ceff042fe94a0ef8a77568844900d962485cfd7a1035203161693cba320375b5cc57cd12c51695a5252d78fb3

Tags

redline smokeloader socelars vidar 916 937 ani she aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses 2FA software files, possible credential harvesting
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral13

Target

3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00

MD5

b1e9f93ed954f84cc0144c40c75f178f

Filesize

3MB

Score

10^/10

SHA1

a11c3dc288597c4139fbcab21474dd69931b8668

SHA256

3a4e2dfbd7943c7200d7c5ea70c2b0117408d3c1ac3cac7b757d8e05dcc9ff00

SHA512

6a3b1f513a5cdabdc6dae142fa9a61f683a2e514e0f4f1a5b20902eeb2d0918f636b600529ebf20020835d8b2b987d4123c94ee4755df1bb31274a5a4ee16da2

Tags

redline smokeloader vidar ani media13 she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral14

Target

4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

MD5

2b0ce83a2a1065ef402b7a50f45892fd

Filesize

4MB

Score

10^/10

SHA1

d66a565247f9df9ac0bdb3725eee121e98d8914d

SHA256

4a4a606501eea3b8b9e128412455243ca20de0efe374c9c47ff3b5caac457375

SHA512

42d19f0130d34a3b37e78b6f1ba9c3c7e07d99e0a76dc005be976c51c2a363e64d475b9caa6805d3e8c1da2a4d32020f307eaae68b41d8c815ae1da8ec0db2ca

Tags

redline smokeloader socelars 05.10 backdoor discovery evasion infostealer spyware stealer suricata themida trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Themida packer
Description

Detects Themida, an advanced Windows software protection system.
Tags

themida
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral15

Target

4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0

MD5

1f998b076047371b95763abf57a2eb5f

Filesize

5MB

Score

10^/10

SHA1

8ef5c726e13d658b2be905e5274cdb0ae5fd60ca

SHA256

4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0

SHA512

c9f3603af56effaee8a6027339d359c4954251d17d3168e638eba99fdfc25d1082de86d6bff601f985b4f8819b9808c4e2dcaa8b97947d9595edf791f986f716

Tags

redline smokeloader socelars vidar 916 ani aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.

Related Tasks

behavioral16

Target

5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f

MD5

2f3136374745c23cc8b0d05329712308

Filesize

4MB

Score

10^/10

SHA1

06a587bb27cca266d53a593d445b7917faae8646

SHA256

5524bfd8269c656293e16b8da80bd43983f457f261f052e166d90a079517115f

SHA512

4efcdd92d0e4234d20b64dd1442931dcc4e8c0b0b5490b2edbdcc5ce209f39b74730f1c0ded07c3d229507b5ce666df76dab4a1dda6ed4d2147fc4da1b81de7b

Tags

redline smokeloader ani media12 she aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.

Related Tasks

behavioral17

Target

582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b

MD5

b968dfca2c74f26c008abffa22c74581

Filesize

3MB

Score

10^/10

SHA1

160dc676ce1696daa20f3c2d56cf41d84481d628

SHA256

582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b

SHA512

8146433494d3150b8a0c47783bfe004a8f6503eb71ffc87c508b76342a864f10f9913918a9e0828cfd83634d054868f129e06e4eb3c989c88b1e6c15e1262881

Tags

raccoon redline smokeloader socelars ani fcdc156d3872c18d25e3ee45499599b45e492a67 she aspackv2 backdoor infostealer persistence spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE ServHelper CnC Inital Checkin
Description

suricata: ET MALWARE ServHelper CnC Inital Checkin
Tags

suricata
Grants admin privileges
Description

Uses net.exe to modify the user's privileges.
TTPs

Account Manipulation
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
TTPs

Remote Desktop Protocol
Sets DLL path for service in the registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral18

Target

588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370

MD5

50693ca6be65ab9f3ab8dc4541821206

Filesize

4MB

Score

10^/10

SHA1

58f816723e3c1f58c6c90a1b4b19a97bf6765fb7

SHA256

588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370

SHA512

1f4935a35ae18890abaee552f2a2215bfcd6b7b9b337f48d4a8af9e3e69a90de61d4f5e09c939bd262e8dfc11503b7dd303934a866ace51969abc69a55bfe4cd

Tags

redline socelars vidar 05.10 build discovery evasion infostealer spyware stealer suricata themida trojan vmprotect

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
VMProtect packed file
Description

Detects executables packed with VMProtect commercial packer.
Tags

vmprotect
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Themida packer
Description

Detects Themida, an advanced Windows software protection system.
Tags

themida
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral19

Target

609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b

MD5

fae157c539487f1e83d8548854409b2e

Filesize

3MB

Score

10^/10

SHA1

cbca5a5851e0a8e501b63fb075cc24becb8e956f

SHA256

609accbb14b3fb81d04e3142447678c4a163ec4fa6e33256e00f723e64b0852b

SHA512

c13dbe3ca16660ac59cf56cec6b8e5fdd6a2221a05a8f252e4311445a8d883c29c4ab7a4e3ffaa3ff207e8508540c0153f1e9b36f29f64f53767a46bad79b10f

Tags

redline smokeloader socelars she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral20

Target

620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111

MD5

bbdcb9ff39692c100a8b20f3c2b3ed3d

Filesize

4MB

Score

10^/10

SHA1

9bbf2e4dc2ac398596fe87cd09f9add86b27fb16

SHA256

620a9a3efa423f182b5126bec022a1871d7051d08065495ba7bed12e18668111

SHA512

d2935c9ae3eafd5c5ccd89a0864eb6dc647d32a0b36f20b3eeb94540982fd9721aaf8f70a8f5a09e9016b9e01e46682a053f44583ecffa14fef34ff4948422a7

Tags

raccoon redline smokeloader socelars vidar 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 937 fucker2 media18 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral21

Target

623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c

MD5

15b7d616b28fb9df36d631a27dbf2e93

Filesize

5MB

Score

10^/10

SHA1

0019bad9cc179f7274b620da0a75728a46331500

SHA256

623bb62b2bdec1c2b272fbeb0da95904b91f20f95a27dc8a59d0ca4c1010ef7c

SHA512

e3a4c09bcc5d1c76ee8e3927fddaf08c3027a1e381067ac69e6688e2254158b9048899349b4fbec3e0cbbcc5a7a55ba8827e93be9641bc7f64bce17b56be7831

Tags

redline smokeloader socelars vidar 937 ani she aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
Checks for common network interception software
Description

Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
Tags

evasion

TTPs
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses 2FA software files, possible credential harvesting
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral22

Target

642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc

MD5

2a63fa2ace27f76ad1a17c6f1bb01353

Filesize

5MB

Score

10^/10

SHA1

44fa3ece4acf17cfc51a36960f65b8bd81feea5e

SHA256

642c69b7109f087d01166ed237a4fd4611a2209a11e23a8dc2f2ba5aec3118bc

SHA512

711d462e56226e3170fd63cc87362a046ae398bc33258d3fc7cefdb1f973a266848b6b4510f60ffbfdfedfff980d2e346af0fa6e2b841624aae0f04ebb82a9e1

Tags

redline smokeloader socelars vidar 916 ani she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.

Related Tasks

behavioral23

Target

6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34

MD5

c6fe254394e47430b9082139448aabe9

Filesize

2MB

Score

10^/10

SHA1

ec0993c200353cbc1ccaacd53643e4077bf75a78

SHA256

6e18165c4a3685b247b326103b7a12266f7d01a8831aa97e710449273263dc34

SHA512

131bdb23487fb5e8df908cc3e8d1609cd67290fd13fa3c5999ae8d706d4178aa8dd46f809b5ba92ad929b6b22dcb463a475e77bcbf07f82512697893ed513408

Tags

raccoon smokeloader fcdc156d3872c18d25e3ee45499599b45e492a67 backdoor stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral24

Target

78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd

MD5

7f1faa8a4ddb32af19428f462da72136

Filesize

504KB

Score

8^/10

SHA1

c7dea48daab84594fa0138542c274e8e9ce1fedf

SHA256

78a82aa6d47c01237be6b269d2bda88a9ca0b1e6eecc29ba631e18fbbd18e5cd

SHA512

f8a4c204224d200f326f7782e4b1024cd2745631727f948eb7904267113d062a0f34d1b53b6b972e0dbf4f37e4e08b5b4b8e6878f3677100513fbf515ef84057

Signatures

Executes dropped EXE
Loads dropped DLL

Related Tasks

behavioral25

Target

809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741

MD5

85fdfaf0375116479cb4d27c7bfd1263

Filesize

6MB

Score

10^/10

SHA1

64f6c4fafa6477128a4594435c6160a94c29a269

SHA256

809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741

SHA512

91a50317af88a6f5c33f471f771c04cb56aa5228bceeb94336d10d7934c056fcd682c5f20ad693399ed02be142173c60f28a1884664ead07dbdec312674b4a5b

Tags

redline smokeloader socelars ani media15 she aspackv2 backdoor evasion infostealer stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.

Related Tasks

behavioral26

Target

82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f

MD5

d4074889823e1903a7cad0b5fec73ec2

Filesize

5MB

Score

10^/10

SHA1

b143adc240983728c546d24af9f15e987e181883

SHA256

82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f

SHA512

3af61a360e747ef3751e7108c3b54ead237da4b267af34c798986891adfceb7d0c41cde9ce8f73dd8666c0f39037a62ae9b3044c237777b5170c5abb24725ee5

Tags

redline smokeloader socelars vidar 916 937 ani media17 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral27

Target

9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

MD5

a4d23ac3c7172b9aa02e35b6bf0fd21f

Filesize

3MB

Score

10^/10

SHA1

0326aab7deddfefc048c9a67ac9ce4ee14ea9003

SHA256

9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

SHA512

9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10

Tags

redline smokeloader socelars vidar ani she aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral28

Target

9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

MD5

9725f7f222530388cb2743504a6e0667

Filesize

3MB

Score

10^/10

SHA1

56d0eb91855e326b050c904147f4d9dafc596d70

SHA256

9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

SHA512

ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663

Tags

redline smokeloader vidar chris fucker2 media20 aspackv2 backdoor infostealer spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Description

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Tags

suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Description

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Tags

suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Description

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral29

Target

9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511

MD5

4263d12dd5f4d595e9efae16102d9b6d

Filesize

4MB

Score

10^/10

SHA1

cbf93a6ea05b8da4214fd847c8f209151a0b76bd

SHA256

9d608ed375a27a573add396e92f4f8e831cb71d344fa21f14b04c42788946511

SHA512

d548edc17b06d9f047f48bb3190d0840b15b510784965acfa38fbf2b69cf975bc3ea2370484d26eefe79a8e4609a337dede4a783216e8b8de5fb07bcc3204018

Tags

smokeloader backdoor evasion spyware stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Description

suricata: ET MALWARE ClipBanker Variant Activity (POST)
Tags

suricata
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral30

Target

9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e

MD5

eeab16ae25d712b91f2faf84b44a4ca8

Filesize

4MB

Score

10^/10

SHA1

fd182f829b29b41495c4cc66be7266062d3b71e0

SHA256

9ed5bbddf1be7ad2f19ae45eff5839f0e7a7f435f9fd583a49c2ff7a5e860d6e

SHA512

0074546e453e49d55a9c4ad8ca32bf67bb8346e1b084e90e047a00a3814a7668328a6b188f9595f25c5e784a9c9d6001940dd61f1c666493a92347fb2e6e5292

Tags

redline smokeloader socelars vidar 916 ani fuck1 media17 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Description

Vidar is an infostealer based on Arkei stealer.
Tags

stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
Vidar Stealer
Tags

stealer
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext

Related Tasks

behavioral31

Target

a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

MD5

bfc2137972c74edea0f9791b94486e9b

Filesize

4MB

Score

10^/10

SHA1

fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3

SHA256

a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4

SHA512

9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75

Tags

raccoon redline smokeloader socelars 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 chris media18 aspackv2 backdoor evasion infostealer stealer suricata trojan

Signatures

Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Socelars
Description

Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags

stealer socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
Description

suricata: ET MALWARE GCleaner Downloader Activity M5
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Tags

suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags

suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Description

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Tags

suricata
ASPack v2.12-2.42
Description

Detects executables packed with ASPack v2.12-2.42
Tags

aspackv2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Looks up geolocation information via web service
Description

Uses a legitimate geolocation service to find the infected system's geolocation info.