Overview

overview

10

Static

static

f4eb00edcb...d2.exe

windows7_x64

10

f4eb00edcb...d2.exe

windows10_x64

10

ee4355899a...0b.exe

windows7_x64

1

ee4355899a...0b.exe

windows10_x64

1

e5d61c0b7d...0f.exe

windows7_x64

10

e5d61c0b7d...0f.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows7_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

7

d965344c14...19.exe

windows7_x64

10

d965344c14...19.exe

windows10_x64

10

d097ca2583...22.exe

windows7_x64

10

d097ca2583...22.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

bc6dfe9ae5...09.exe

windows7_x64

3

bc6dfe9ae5...09.exe

windows10_x64

3

b645101f39...21.exe

windows7_x64

10

b645101f39...21.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

88e993e974...2f.exe

windows7_x64

10

88e993e974...2f.exe

windows10_x64

10

809ed9e2d0...41.exe

windows7_x64

10

809ed9e2d0...41.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

775338ae18...e4.exe

windows7_x64

10

775338ae18...e4.exe

windows10_x64

10

5cb26af890...00.exe

windows7_x64

10

5cb26af890...00.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6050639261106176.zip

  • Size

    49.7MB

  • Sample

    211110-segh9shcd2

  • MD5

    219ac0109c3e07842f790b412fec94ba

  • SHA1

    4f8ef33c738aff58136f4589dc547fef41656c75

  • SHA256

    54dd0b1767570b23927b3959b1b53e2184b604eec29f168ca5f2b644a438309f

  • SHA512

    df78fb954a8a19797030e016a797fed8622de9f7d0fb106ca91f3149a889b5693f317886b2b3274b254376675a15b3a17beabc1d683761211adc1d5502939cc9

Score
10/10
redlinesmokeloadersocelarsvidarxmrig916933937animedia15media20sheaspackv2backdoordiscoveryevasioninfostealerminerspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

933

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

media20

C2

91.121.67.60:2151

Extracted

Family

vidar

Version

48.1

Botnet

937

Attributes
  • profile_id

    937

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

media15

C2

91.121.67.60:2151

Extracted

Family

redline

Botnet

ANI

C2

194.104.136.5:46013

Extracted

Family

vidar

Version

41.4

Botnet

916

C2

https://mas.to/@sslam

Attributes
  • profile_id

    916

Targets

    • Target

      5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00

    • Size

      92KB

    • MD5

      bc1448e17d086d57f635c7079c1bc773

    • SHA1

      1db1cb05523982e613b2e7977472f3adda47c1a2

    • SHA256

      5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00

    • SHA512

      5b9c65f7e766560e2ccbc6a2aeba3dbbc1eeaca77eb57f2511155dcc86149d448d9780c9328562ff353aba8e4f90adc5c84ac9dcce509efe99cde56768c2f867

    Score
    10/10
    vidarxmrig933minerstealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Vidar Stealer

      stealer

    • XMRig Miner Payload

      miner

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4

    • Size

      5.6MB

    • MD5

      7e6b1e9e80bb32a34426aecc480c18ac

    • SHA1

      1b776dd0f22d0395fa9d0f11b244d6dc0a6b3671

    • SHA256

      775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4

    • SHA512

      ba00595038c7a65ab4e811d339e928d7f00a73ce706bcb9b2eaa5af2356199eecc44cd4f35fe7f2e05bbc48d1bab2c877071ac759658a4ff7579d43842d88831

    Score
    1/10
    behavioral3behavioral4

    • Target

      7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084

    • Size

      96KB

    • MD5

      c202f1103c957930ec4cc01b43dfd472

    • SHA1

      ffed9fc2e035d31f1b2e098471e8ec70334ff9fc

    • SHA256

      7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084

    • SHA512

      569aa632a2677cb9d1b0186f19676161853ceea55cb6ee94cfcc6ad4b558c57a2694ab0d2dc541484e4099530b2aab742b95d08c093150efa6585d98ce6356e4

    Score
    10/10
    redlinesmokeloadermedia20aspackv2backdoorinfostealertrojanspywarestealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral5behavioral6

    • Target

      809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741

    • Size

      6.8MB

    • MD5

      85fdfaf0375116479cb4d27c7bfd1263

    • SHA1

      64f6c4fafa6477128a4594435c6160a94c29a269

    • SHA256

      809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741

    • SHA512

      91a50317af88a6f5c33f471f771c04cb56aa5228bceeb94336d10d7934c056fcd682c5f20ad693399ed02be142173c60f28a1884664ead07dbdec312674b4a5b

    Score
    10/10

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      88e993e9749fc01b654faadb511143d5f6530496ac1013d075342a053d64bb2f

    • Size

      96KB

    • MD5

      1c58be0a33997195e1e9dbc5b9298ec6

    • SHA1

      b60217ccbfd99efacb9388cdb0e4739279613892

    • SHA256

      88e993e9749fc01b654faadb511143d5f6530496ac1013d075342a053d64bb2f

    • SHA512

      4408bc064dd2a937070142d6c924473a67a17a34353f8cee3ae6156831fc06901ca9bdb377f8fb9600e04ffcd243826cded4f6afe730fda579414c3d2cbfd724

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434

    • Size

      7.0MB

    • MD5

      42fff45c940c819040ca8920fbb405cc

    • SHA1

      753821199880873e232bbe95ab2beb4ad0b6797c

    • SHA256

      96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434

    • SHA512

      7943f9d50e11fae6e3bc1a2fdf05bf5a1a96e3366948157ae1067e4f7834f692f1d2a59cf7fe4ef13e773596ca5a0ad26d62bbd285412550c01d02c1d4f7a05f

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • Size

      3.6MB

    • MD5

      9725f7f222530388cb2743504a6e0667

    • SHA1

      56d0eb91855e326b050c904147f4d9dafc596d70

    • SHA256

      9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782

    • SHA512

      ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21

    • Size

      96KB

    • MD5

      827ae659131c0058086d9b38bf378523

    • SHA1

      0ffcbf3097f6c0487469f728d28622f28843ffff

    • SHA256

      b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21

    • SHA512

      c44b71e1e4ca4bf5ac6686ee0fd31768114d58c8afd5b1fc952a3af7dab3438a3309dca5ef8fe97ffb0a3b2525e5cd77692a0d031a9fb134b0721e5c99cfba07

    Score
    3/10
    behavioral15behavioral16

    • Target

      bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09

    • Size

      8KB

    • MD5

      8c9e935bccc4fac6b11920ef96927aac

    • SHA1

      38bd94eb5a5ef481a1e7c5192d9f824b7a16d792

    • SHA256

      bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09

    • SHA512

      cfd3f54aa0d8cc53388c3fe9e663a6b89a447c38873a3ccf7d658468928c9967e5c1ae7d2f4775ceb5d9b5553c640020fc858ea609190d61df68dec0cc3f2884

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83

    • Size

      89KB

    • MD5

      a56c80f6cef4b2466024b6af88123183

    • SHA1

      7d8d3a50f5b1239736423dbb0b1226d59bd1988a

    • SHA256

      ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83

    • SHA512

      11c26244e282d37c7587a5838624bd2f310a0842add9fde6abb8150138e5d190438cc54e4e2df1d1985fc453600207d9f35effa290748ef05418534131128cd3

    Score
    10/10
    redlineaspackv2infostealersmokeloadervidar937backdoorevasionspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      d097ca2583425f648592138b57562334c0b83d3179634fd43a0b611bdf720122

    • Size

      89KB

    • MD5

      dc534760d1110201433d670e90ac2ed2

    • SHA1

      4ece22c0a4bde2a2f2936d87d9d6acb5668c3c78

    • SHA256

      d097ca2583425f648592138b57562334c0b83d3179634fd43a0b611bdf720122

    • SHA512

      e9889d072e9cb89201d5a64c7b507066f3edd8e4cf5cc56dea82677f69fb00fff5f1fe627ac9612e9bbd2d864afc91251313e32a403462f1fc572121240e3f99

    Score
    10/10
    vidarxmrig933discoveryminerstealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Vidar Stealer

      stealer

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      d965344c145a82ea6fcb32c42f683a15e27914bd9f243cb55782c367eeb17d19

    • Size

      96KB

    • MD5

      bf704f182bbb859d29f5fad29017fc7a

    • SHA1

      16ac48c6e870bcb9a1932669e48c6037a4f45126

    • SHA256

      d965344c145a82ea6fcb32c42f683a15e27914bd9f243cb55782c367eeb17d19

    • SHA512

      79dcdbe815be041f2ca6bd4151e77283cf674575aab917ab33555ab9ab185413b9dadabc06aa0d878a3ada53a5a52f81f755dcc066c014d46492f3f0f871a248

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

    • Size

      834KB

    • MD5

      2c25a0926e5228d2205b3b8c8ef4d7f4

    • SHA1

      5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409

    • SHA256

      e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

    • SHA512

      cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468

    Score
    10/10
    redlinesmokeloadersocelarssheaspackv2backdoorevasioninfostealerspywarestealertrojanvidar937animedia15

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      e5d61c0b7d3bea5c6fb6df58e067be3f5d6d31b17d0e193f170c73bc0523250f

    • Size

      3.6MB

    • MD5

      97ac68892705d183935837037e6cc7f8

    • SHA1

      b143ca62207abd532628cd9bd7b30328b280c75f

    • SHA256

      e5d61c0b7d3bea5c6fb6df58e067be3f5d6d31b17d0e193f170c73bc0523250f

    • SHA512

      d95128cc75f2bb241afdf6b54db331a33a3b1d40416aacc31a5524371455f5e6d08c06b686864089b553b71b2a272de9d7243f346ec72c65c631270597de4a8b

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b

    • Size

      8KB

    • MD5

      69f0fe993f6e63c9e7a2b739ec956e82

    • SHA1

      6f9a1b7a9fceac26722da17e204f57a47d7b66a5

    • SHA256

      ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b

    • SHA512

      1f81e0b8c3a5748a2aa47e02f8b1c1fc09e8d81871a607a148343ac3c579b82685f41eddf2070976a31aabccef0e70303c05d30e0c78c287a5c478c886185b1a

    Score
    10/10
    redlinesmokeloadersocelarsvidar916sheaspackv2backdoorevasioninfostealerspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral29behavioral30

    • Target

      f4eb00edcbe216c7520fee4b0bb806e612c5a78c5d3da46f1f6fed3678dacad2

    • Size

      1.6MB

    • MD5

      5f84034c670130aa2f3959e8b2f516de

    • SHA1

      46b026c3a74b5770c0da55760f143d6d86cb6d5f

    • SHA256

      f4eb00edcbe216c7520fee4b0bb806e612c5a78c5d3da46f1f6fed3678dacad2

    • SHA512

      7f4847b630b9529cbd495b17221e6562cb694fddf36babd1ff40811f71060027732dd1dacd7899b8479f41f2f4adc31c7f7b8757440d6f4bf7b6edcc4f07156a

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

5
T1053

Persistence

Scheduled Task

5
T1053

Modify Existing Service

5
T1031

Privilege Escalation

Scheduled Task

5
T1053

Defense Evasion

Install Root Certificate

3
T1130

Modify Registry

7
T1112

Disabling Security Tools

3
T1089

Credential Access

Credentials in Files

4
T1081

Discovery

System Information Discovery

35
T1082

Query Registry

21
T1012

Peripheral Device Discovery

5
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

5
T1102

Impact

Tasks

static1

Score
N/A

behavioral1

vidarxmrig933minerstealer
Score
10/10

behavioral2

vidarxmrig933minerstealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

redlinesmokeloadermedia20aspackv2backdoorinfostealertrojan
Score
10/10

behavioral6

redlinesmokeloaderaspackv2backdoorinfostealerspywarestealertrojan
Score
10/10

behavioral7

Score
10/10

behavioral8

Score
7/10

behavioral9

Score
10/10

behavioral10

Score
10/10

behavioral11

Score
10/10

behavioral12

Score
10/10

behavioral13

Score
10/10

behavioral14

Score
10/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

Score
10/10

behavioral18

Score
10/10

behavioral19

redlineaspackv2infostealer
Score
10/10

behavioral20

redlinesmokeloadervidar937aspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral21

vidarxmrig933discoveryminerstealer
Score
10/10

behavioral22

vidar933discoverystealer
Score
10/10

behavioral23

Score
10/10

behavioral24

Score
10/10

behavioral25

redlinesmokeloadersocelarssheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral26

redlinesmokeloadersocelarsvidar937animedia15sheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral27

Score
10/10

behavioral28

Score
10/10

behavioral29

redlinesmokeloadersocelarsvidar916sheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral30

redlinesmokeloadersocelarsvidar916sheaspackv2backdoorevasioninfostealerspywarestealertrojan
Score
10/10

behavioral31

Score
10/10

behavioral32

Score
10/10