a70760071dea52443d726965f9feef8a66848b6c6288e9354f8ca1e0e898f624

Tags

Signatures

• Arkei

  Description

  Arkei is an infostealer written in C++.

  Tags

  stealerarkei

• Raccoon

  Description

  Simple but powerful infostealer which was very active in 2019.

  Tags

  stealerraccoon

• RedLine

  Description

  RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  Tags

  infostealerredline

• RedLine Payload

• SmokeLoader

  Description

  Modular backdoor trojan in use since 2014.

  Tags

  trojanbackdoorsmokeloader

• Tofsee

  Description

  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  Tags

  trojantofsee

• Vidar

  Description

  Vidar is an infostealer based on Arkei stealer.

  Tags

  stealervidar

• Windows security bypass

  Tags

  evasiontrojan

  TTPs

  Disabling Security ToolsModify Registry

• suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

  Description

  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

  Tags

  suricata

• suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  Description

  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  Tags

  suricata

• suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  Description

  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  Tags

  suricata

• suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

  Description

  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

  Tags

  suricata

• suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

  Description

  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

  Tags

  suricata

• xmrig

  Description

  XMRig is a high performance, open source, cross platform CPU/GPU miner.

  Tags

  minerxmrig

• Arkei Stealer Payload

  Tags

  stealer

• Identifies VirtualBox via ACPI registry values (likely anti-VM)

  Tags

  evasion

  TTPs

  Query RegistryVirtualization/Sandbox Evasion

• XMRig Miner Payload

  Tags

  miner

• Creates new service(s)

  Tags

  persistence

  TTPs

  New Service

• Downloads MZ/PE file

• Executes dropped EXE

• Modifies Windows Firewall

  Tags

  evasion

  TTPs

  Modify Existing Service

• Sets service image path in registry

  Tags

  persistence

  TTPs

  Registry Run Keys / Startup FolderModify Registry

• Checks BIOS information in registry

  Description

  BIOS information is often read in order to detect sandboxing environments.

  TTPs

  Query RegistrySystem Information Discovery

• Deletes itself

• Loads dropped DLL

• Reads user/profile data of web browsers

  Description

  Infostealers often target stored browser data, which can include saved credentials etc.

  Tags

  spywarestealer

  TTPs

  Data from Local SystemCredentials in Files

• Accesses 2FA software files, possible credential harvesting

  Tags

  spywarestealer

  TTPs

  Data from Local SystemCredentials in Files

• Accesses Microsoft Outlook profiles

  Tags

  collection

  TTPs

  Email Collection

• Accesses cryptocurrency files/wallets, possible credential harvesting

  Tags

  spyware

  TTPs

  Data from Local SystemCredentials in Files

• Checks installed software on the system

  Description

  Looks up Uninstall key entries in the registry to enumerate software on the system.

  Tags

  discovery

  TTPs

  Query Registry

• Checks whether UAC is enabled

  Tags

  evasiontrojan

  TTPs

  System Information Discovery

• Legitimate hosting services abused for malware hosting/C2

  TTPs

  Web Service

• Drops file in System32 directory

• Suspicious use of NtSetInformationThreadHideFromDebugger

• Suspicious use of SetThreadContext

Related Tasks