3FB154482EF8AE49941C9ED13063294CD4F97E28E5DD8.exe

Tags

Signatures

• Modifies Windows Defender Real-time Protection settings

  Tags

  evasiontrojan

  TTPs

  Modify RegistryModify Existing ServiceDisabling Security Tools

• Process spawned unexpected child process

  Description

  This typically indicates the parent process was compromised via an exploit or macro.

• RedLine

  Description

  RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  Tags

  infostealerredline

• RedLine Payload

• Socelars

  Description

  Socelars is an infostealer targeting browser cookies and credit card credentials.

  Tags

  stealersocelars

• Socelars Payload

• Suspicious use of NtCreateProcessExOtherParentProcess

• ASPack v2.12-2.42

  Description

  Detects executables packed with ASPack v2.12-2.42

  Tags

  aspackv2

• Downloads MZ/PE file

• Executes dropped EXE

• Checks computer location settings

  Description

  Looks up country code configured in the registry, likely geofence.

  TTPs

  Query RegistrySystem Information Discovery

• Loads dropped DLL

• Reads user/profile data of web browsers

  Description

  Infostealers often target stored browser data, which can include saved credentials etc.

  Tags

  spywarestealer

  TTPs

  Data from Local SystemCredentials in Files

• Legitimate hosting services abused for malware hosting/C2

  TTPs

  Web Service

• Looks up external IP address via web service

  Description

  Uses a legitimate IP lookup service to find the infected system's external IP.

• Looks up geolocation information via web service

  Description

  Uses a legitimate geolocation service to find the infected system's geolocation info.

• Drops file in System32 directory

• Suspicious use of SetThreadContext

Related Tasks