fabookie

Sharing

Copy URL

Twitter E-mail

General

Target

400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1
Size

210.5MB
Sample

241104-3xhjds1anm
MD5

718122e481538fe9069b13d4ad3feccf
SHA1

bd021b079d05d335981651154afe30f158f3f036
SHA256

400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1
SHA512

5d24fa36f6caa029bb65c50dfea219ab66262bdd6b54a20eefabed7cb9c9c961c189e25304e43ceaf19a4eaa5c7c3618727d36fd3b9ac30b0d083227334dae12
SSDEEP

3145728:R8YK6ZGyOp/Z7Bwp8K75Kf9ddo6/vw2/hu4IqZ0spuY5f9dbGbpDHk9B69ZzgUeC:6YK6YVp/k/5KfjvGVapVdkE6Z0pOFmKP

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

nullmixer

http://hsiens.xyz/

http://marianu.xyz/

http://sayanu.xyz/

http://mooorni.xyz/

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

media12

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

gcleaner

ggg-cl.biz

45.9.20.13

ppp-gl.biz

gcl-gb.biz

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

http://www.efxety.top/

Extracted

Family

redline

Botnet

fucker2

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

Chris

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

media17

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

vidar

Version

41.4

Botnet

916

https://mas.to/@sslam

Attributes

profile_id
916

Extracted

Family

redline

Botnet

fuck1

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

media13

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

media14

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Targets

- Target
  
  01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
- Size
  
  3.3MB
- MD5
  
  b5b1415b3890d0108ac53acd595497b9
- SHA1
  
  876eb8e34ecb3c1fea20e2c6b710346676ad2de2
- SHA256
  
  01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68
- SHA512
  
  fe58023cba73deac0229cd45b73227e5d1c1f6760f3f053dbcdb4f388d6234940985f57ab8ffc73c4e8eff4bf3a2ef956cd44bdcdd66c44c1cc1ea86e335e4d0
- SSDEEP
  
  49152:xcB4EwJ84vLRaBtIl9mVHZ7PhEKQ9F6ZGZ9kLvlEEXArNC6XlruK1JJecwJpVz+K:xKCvLUBsg575Uwg9CvD969D1zecwlTWM
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat ani media12 she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
- Size
  
  403KB
- MD5
  
  f957e397e71010885b67f2afe37d8161
- SHA1
  
  a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
- SHA256
  
  022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
- SHA512
  
  8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
- SSDEEP
  
  6144:ilwYPg/USg7WFugaqIv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FLfj:iyYI/7FugaLS2zO
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4
- Target
  
  02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
- Size
  
  6.8MB
- MD5
  
  dcd0d8a4e476db4602f3beae6a60b4c9
- SHA1
  
  7906d0674d60685b06289db375eacf954e3185e3
- SHA256
  
  02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
- SHA512
  
  62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8
- SSDEEP
  
  196608:JA9m5r9j4581N4V0tnJde6PBVcXrCrg3Se0tkrHDb:JA9Or9n4VQJdxVarEqskrjb
Score

10^/10

fabookie nullmixer privateloader redline sectoprat socelars ani media14 she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  setup_installer.exe
- Size
  
  6.7MB
- MD5
  
  9ca270cf80e656ea1a677ff78322e6fb
- SHA1
  
  183b9fcd14606d1c6769557209785aba9f603c2c
- SHA256
  
  8da322eda4058e49af97ffb0e11386d5c1814b9cda04b66ff57be1077e5c2821
- SHA512
  
  969ad9c8f31681780dd8cabd35a6179a43c44b1f7004d3a417b5c00fa0d57553f797c8203e7706367ef32269a90161db3cae387d636739b72aaf67b509662650
- SSDEEP
  
  196608:xOLUCgZPuzddqZBexm7jd4je0inyNzrvYjGrzLN:x2dgZPIdq6iKjeqzrACrXN
Score

10^/10

fabookie nullmixer privateloader redline sectoprat socelars ani media14 she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
- Size
  
  5.6MB
- MD5
  
  a121db3e0809289a5c41c44958ff6fa0
- SHA1
  
  fd40bbe6eaeea4004046f65a8c647fabb35e1742
- SHA256
  
  0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
- SHA512
  
  0e4af224ea67c07bdce0bae3b4040d900e2c011557ef55d8d0e68d596826561a8d4f3b553cc3290cf60e87ccee975deb65c1de9553fabfee5f67268935d8081f
- SSDEEP
  
  98304:JVw5AxSbnFouWDC50KmHeIQT8ZVK+zoN3aZdKfFEqsJtn05C5H+ZB3pjHOR:Ja5AeFeC5UH5a87/oN3aZdKNyxeCH+ZY
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  setup_installer.exe
- Size
  
  5.5MB
- MD5
  
  8f86dedab3baf5ffaaebb8a77d417737
- SHA1
  
  2469e1057b3a544402d57a602a916b0663a8ff8c
- SHA256
  
  b25679ef641f0a807ef8200eb0ec464680dfdfff23b42bad85099b140c5d5630
- SHA512
  
  2f70caeb89da15a3b1222b52cf49b09af61937b1bf92b5c0baad4d222a9c02f30e174cc9bd8078531fac26213fb990ab1cac78b13f38e7cbc75389685b0ec61c
- SSDEEP
  
  98304:xHJbto7+irOuqh3GOt0vgYklZpKnKjHKUeFeK0szczORFoUBcWQ:xHjoNF6GOtUklzjqUeYY9RFoUmf
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
- Size
  
  4.4MB
- MD5
  
  5fdb93aaa25f3b7e5a0a7d046e92df52
- SHA1
  
  450ea998b3090ef6922200b87e49fd0c7f543420
- SHA256
  
  0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
- SHA512
  
  85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6
- SSDEEP
  
  98304:JokzWIc2TbzGRtKrhAUWe8wDmK+yh6JP1lvjR4Zlnmr7:JoeWkTHG7keU1/cJP1tjRsnmr7
Score

10^/10

nullmixer privateloader redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan gcleaner onlylogger raccoon
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  setup_installer.exe
- Size
  
  4.3MB
- MD5
  
  5fd1eea0e6078f55eab45b7d8e79b4b9
- SHA1
  
  c934a408918d20e2cc7ea8c64f294cb179dc0bdd
- SHA256
  
  012498bb79e5b2914abac4b8343510a8cd180a92d11ec087f66dfd87a202f41c
- SHA512
  
  0e03b8f61753286b9fcc00fa4cb55c029db96bf5e788dfca2a76b3b806210cab01b4a605b54db53d33814c845b50b596830a45433b941f28ec96817a41549f32
- SSDEEP
  
  98304:x1CvLUBsgNKVNzhkopjbrs+j4YyBNTCFe2GDwx/D:xGLUCg4V4oZbw+MdsO+7
Score

10^/10

nullmixer privateloader raccoon redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan gcleaner onlylogger
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
- Size
  
  4.6MB
- MD5
  
  cc2c8271c80d294b35d51b0721d59ba5
- SHA1
  
  397ee3270770e940ee868d3d06d9feaed1599d79
- SHA256
  
  1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c
- SHA512
  
  ecfd4c52c008a86ca387a00c530fcac2971080b5cabae4d91da425f3cb042ca2e363c5048c0ea7349ea446f4e3797c04448b84a863fbf9672dded861cc22f34c
- SSDEEP
  
  98304:JvdS3p0K75GAGcpvFUMxc1ArvR/ylQqTuTbuM/lRs31RU39Giua8aHTu0hV:JFS3uK75D5pvFpxccVyF6j83UtvhV
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  setup_installer.exe
- Size
  
  4.6MB
- MD5
  
  2b38c5035ebb79488f1355f9db13bf93
- SHA1
  
  70a1a476d778bdb4d152c256a543d1cf8599acf1
- SHA256
  
  1d9db6232210accf7b38968a4d16f1b9f6c17886172766b0ed73291eac8b0e1c
- SHA512
  
  2b72bae325b0537135a3a32855323ac45cecc3a8fc88f474200520f37ecf3608f0128ae7bd454217af134f1a03caa16fbf5fbcf9d30c738d145ed2bb0a676681
- SSDEEP
  
  98304:xuCvLUBsgnH72QgyZaQU6Rtyzd+Kq+uXfG4dt3p8wg5+avOJrr+ZZ:xnLUCgH7xXZ/RLv+4p8wsIrKH
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
- Size
  
  5.9MB
- MD5
  
  2054a395da9f7a789bef703c5d2d60c1
- SHA1
  
  f170cbc93d4fb3f4f92ccd88039272bf78bdfa89
- SHA256
  
  1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433
- SHA512
  
  1439382b36a24d898fc769a742b05c2c9ad898a6e5750e0f7e813fd5d536834e44572061efb0c89af72c5a97c3502e9ee30c2c861154f0fbb4c4164e3880ffcf
- SSDEEP
  
  98304:xHCvLUBsghjeXIZ90vNP7S5OFFh506+n5+4fKwKy7mGVYQUki4mG:xkLUCghZ90e5+50T7fKwV7mGaQBmG
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars vidar 916 ani media17 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
- Size
  
  7.1MB
- MD5
  
  2b01f663d5244764e8c2d164d3345fd6
- SHA1
  
  2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3
- SHA256
  
  1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
- SHA512
  
  2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4
- SSDEEP
  
  196608:x1LUCg3xjX8jOOU62TdXIGVlgJZhNSJWSCumPm3B:xNdgVMjRD2TCWler32PB
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars vidar fuck1 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
- Size
  
  3.4MB
- MD5
  
  8e909af6cbb66bc255609e7d86360e7c
- SHA1
  
  3b3fbbe358970adea4c69ea8a0251407697a09e0
- SHA256
  
  2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859
- SHA512
  
  bd943f7562b3849695d5cec246366fc8fc811359edf890a41ed3169bd582e68b02c5831fca738b88a4d71c0e42dd3d202bc48cbc49bad24754465b410369826a
- SSDEEP
  
  98304:xLCvLUBsgDIsM0pYr5wZ/G7Z7s59vEZ64S0yhjxW:xwLUCgO0C2wps59yty9xW
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat ani media13 she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
- Size
  
  4.6MB
- MD5
  
  664aed619fcf50da08dc9d74f48aad57
- SHA1
  
  995df8d6655cf256187df9bc9699bdd094c33616
- SHA256
  
  243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
- SHA512
  
  c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc
- SSDEEP
  
  98304:x1CvLUBsgguMDaxb+TpZXZiUXhAXJeLO++PKxOkUktQkcz:xGLUCggjD++nZhXFyRoOkWtz
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
- Size
  
  3.9MB
- MD5
  
  e04c606d6936962fe40913b1654410d8
- SHA1
  
  37a7a94ea89f4697ad779a43c907deef4fd04f89
- SHA256
  
  2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
- SHA512
  
  a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2
- SSDEEP
  
  98304:J++XaKKQegdAFyhgB/Mb8I8V/YuDH8s6Z1z8ZubJeWRDpW:J++qZgdAFDvXDcbvzDbfDc
Score

10^/10

fabookie gcleaner nullmixer onlylogger redline sectoprat socelars ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  setup_installer.exe
- Size
  
  3.8MB
- MD5
  
  f4aac7c569d0ae03bad95adc6a1fbc01
- SHA1
  
  29193f8d0f591f9ea39e63f51dfaa4380d07a3fc
- SHA256
  
  544d262964209c3ae9d221c48a054bb11f15bbbcb13a5cf6507b7e8ce1429671
- SHA512
  
  2dfcbee0d7e2096f40189fa6d0f72e64a99a020409dcb2e101dbb9ad66ae846fb1c12746ed523426cef5cc59c7cdc790a6aced76a2d3c92ce6bb66c35841ee97
- SSDEEP
  
  98304:xMCvLUBsgHrwQ5FC91v0hrVCWqhLhCj3RA8Ysnjc:xRLUCgLjC9acWcL8NA8Q
Score

10^/10

fabookie gcleaner nullmixer onlylogger redline sectoprat socelars ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Fabookie payload

Fabookie family

GCleaner

Gcleaner family

NullMixer

Nullmixer family

OnlyLogger

Onlylogger family

PrivateLoader

Privateloader family

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

OnlyLogger payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Detect Fabookie payload

Fabookie

Fabookie family

NullMixer

Nullmixer family

PrivateLoader

Privateloader family

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Socelars

Socelars family

Socelars payload

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Detect Fabookie payload

Fabookie

Fabookie family

NullMixer

Nullmixer family