Extracted

Extracted

Extracted

• • Target

    0c7cd5a32bf32320089d44dc1a2cb8a3.exe

  • Size

    289KB

  • MD5

    0c7cd5a32bf32320089d44dc1a2cb8a3

  • SHA1

    f5d6dbeecc9b6020a34811f5ef6310198288ffc2

  • SHA256

    2b8d595d4763ee7ae46bf143f394fe9239d2a0d1a77dea9d2f69cfb5e253c042

  • SHA512

    2151614602a002efedd85e158f901be5f145c75376e105a5b6071c89003294336583ec439a64c6dfa760d6709ee1cb5d6bc270355953b9390b2e19409c05099a

  Score

  10^/10

  arkeiraccoonsmokeloadertofseebackdoorcollectiondiscoveryevasionpersistencespywarestealersuricatatrojanupxloaderbotredlineinfostealerloaderminer

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine Payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata

  • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    suricata

  • Arkei Stealer Payload

    stealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • LoaderBot executable

  • Blocklisted process makes network request

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2