Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    a389e28415f923aeba3d6a0db83a098e.exe

  • Size

    4.2MB

  • MD5

    894f8165e6092fae4e34107475aee96d

  • SHA1

    2aca9e58fe5dcc7fcd5bb9fcacd65c5f572c014a

  • SHA256

    4e92d1047bd80cc6ae21344c207a09c4de026cb7d8249a9ce4a8be190b003cdb

  • SHA512

    b5d9fa1cc79cd09a5d6cfff8f01144e261eb58169e8c97c56fff120dbe6154b53d578d78d1d6e958b873715e07737bc8018559a1dd5e33ec3322686888643734

  • SSDEEP

    98304:yNlkiDfEWZksmiYs64VOccf1notv27bth:yN6iDT6smiFFOxnYvWz

  Score

  10^/10

  cryptbotnullmixerprivateloaderaspackv2dropperexecutionloaderpersistencespywarestealer

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot payload

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1

• • Target

    setup_installer.exe

  • Size

    4.1MB

  • MD5

    09c8df8640a8e73a7ce0584e8ed299c3

  • SHA1

    bc5cdfcb5320bc112db2b863af110ceca1fdf85c

  • SHA256

    bab08164f7128f3ac0418df028c40a65684a0fb4b060403d6981a8c7ab318134

  • SHA512

    88b9e4568d2baa80d9b83d2c078e9eeb7f55d2489193dae8c8aa6199f6ab0558c18f13ad27e3c612fe5b921ed241696229a52f2ab2fbef0e636cdc73d81a3361

  • SSDEEP

    98304:xIIDN+vE/OCGZHY5hTSxtz7vawD+P+ar0oSlOHmY8boVBvOk9:xIG+RJ6T2tzGUk+blOGY8boVlb9

  Score

  10^/10

  cryptbotnullmixerprivateloaderaspackv2discoverydropperexecutionloaderpersistencespywarestealer

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot payload

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  behavioral2

• • Target

    ba9a29ad7fce149a79d17560cbdcbd8e.exe

  • Size

    7.5MB

  • MD5

    a02815a96aefaea2375fbeae1daf7719

  • SHA1

    dce0a61acb78eb19a64236216c753fe56b15319f

  • SHA256

    1c5cf831daab60f538f725dcf73f44ee1379a97dc228185f4ccbdefcac678a3d

  • SHA512

    26a2348efc2ac44b42ae4a0bb5e51497b815691344a92bcf69e4e77309eba484eb00c6336b8a36da0449ebd853c3ef9c47d521dc52c33e53f1626a4357194ed0

  • SSDEEP

    196608:Ji237DvW856Tr3SnDC6JPW3sZG1/ruOL2Z:JFrDD5krinDCc3GfK

  Score

  10^/10

  fabookienullmixerredlinesocelarsmedia13nv2user1aspackv2dropperexecutioninfostealerspywarestealer

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars payload

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral3

• • Target

    setup_installer.exe

  • Size

    7.4MB

  • MD5

    518b3e947e8a892d8b9c49800bfc2877

  • SHA1

    73a8bb6a190613d55530a8fcab924975a192fb46

  • SHA256

    4eb8c045243cb7746a602550b8e99e57be42ae93b5d39cbe3b2c3939d481590b

  • SHA512

    9d75f45b4fe7ec6227fba508376dd52809198312b5afedb1abc85dd84b49ca9174f661703c7f6caea28d58fc20303ccf88d436f6a645288d69809d5594a2e4d9

  • SSDEEP

    196608:xDLUCg7/GX8TfhtpVsN8KzUJ1RHEwUIhL/JOdtS:xfdg7/GXKfhDVsN8Ko1S8hboE

  Score

  10^/10

  fabookienullmixerredlinesocelarsmedia13nv2user1aspackv2dropperexecutioninfostealerspywarestealer

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars payload

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral4