Overview

overview

10

Static

static

3

Setup_x32_...0).exe

windows7-x64

10

Setup_x32_...0).exe

windows10-2004-x64

10

Setup_x32_...1).exe

windows7-x64

10

Setup_x32_...1).exe

windows10-2004-x64

10

Setup_x32_...2).exe

windows7-x64

10

Setup_x32_...2).exe

windows10-2004-x64

10

Setup_x32_...3).exe

windows7-x64

10

Setup_x32_...3).exe

windows10-2004-x64

10

Setup_x32_...4).exe

windows7-x64

10

Setup_x32_...4).exe

windows10-2004-x64

10

Setup_x32_...5).exe

windows7-x64

10

Setup_x32_...5).exe

windows10-2004-x64

10

Setup_x32_...6).exe

windows7-x64

10

Setup_x32_...6).exe

windows10-2004-x64

10

Setup_x32_...7).exe

windows7-x64

10

Setup_x32_...7).exe

windows10-2004-x64

10

Setup_x32_...8).exe

windows7-x64

10

Setup_x32_...8).exe

windows10-2004-x64

10

Setup_x32_...9).exe

windows7-x64

10

Setup_x32_...9).exe

windows10-2004-x64

10

Setup_x32_x64 (2).exe

windows7-x64

10

Setup_x32_x64 (2).exe

windows10-2004-x64

10

Setup_x32_...0).exe

windows7-x64

10

Setup_x32_...0).exe

windows10-2004-x64

10

Setup_x32_...1).exe

windows7-x64

10

Setup_x32_...1).exe

windows10-2004-x64

10

Setup_x32_...2).exe

windows7-x64

10

Setup_x32_...2).exe

windows10-2004-x64

10

Setup_x32_...3).exe

windows7-x64

10

Setup_x32_...3).exe

windows10-2004-x64

10

Setup_x32_...4).exe

windows7-x64

10

Setup_x32_...4).exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f5796455d38b281afea25911c9f97bf14bfdaaa0892a908fbe215f72ea59bb74

  • Size

    209.0MB

  • Sample

    241106-k5s1zsxekf

  • MD5

    b5c6981fb9a2a56ad343d847ab5a94ae

  • SHA1

    e826fa036f2be1deb846abda64b1a8f4a459e160

  • SHA256

    f5796455d38b281afea25911c9f97bf14bfdaaa0892a908fbe215f72ea59bb74

  • SHA512

    0dbf535c804897c53d550c4515adb8239987df7f487b9322dfddf29f84678f41045318c2cdd76ad64179ac973c0c6e1fe7a8483f48556488cf36f58c2d72f9d8

  • SSDEEP

    3145728:IPbPNPRPLPGk+rk+Sk+Uk+ak+mk+Fk+Rk+7k+jk+wk+gk+Nk+hk+qk+mk+Nk+JkX:gz9xDX

Score
10/10
fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

ffdroider

C2

http://101.36.107.74

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

redline

Botnet

DomAni2

C2

flestriche.xyz:80

Targets

    • Target

      Setup_x32_x64 (10).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Setup_x32_x64 (11).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

    • Target

      Setup_x32_x64 (12).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      Setup_x32_x64 (13).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      Setup_x32_x64 (14).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    fabookieffdroidernullmixerredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerratspywarestealertrojanupxvmprotectprivateloadervidarloader

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      Setup_x32_x64 (15).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      Setup_x32_x64 (16).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerratspywarestealertrojanupxvmprotectfabookieprivateloaderloader

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13behavioral14

    • Target

      Setup_x32_x64 (17).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral15behavioral16

    • Target

      Setup_x32_x64 (18).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral17behavioral18

    • Target

      Setup_x32_x64 (19).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19behavioral20

    • Target

      Setup_x32_x64 (2).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral21behavioral22

    • Target

      Setup_x32_x64 (20).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23behavioral24

    • Target

      Setup_x32_x64 (21).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral25behavioral26

    • Target

      Setup_x32_x64 (22).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27behavioral28

    • Target

      Setup_x32_x64 (23).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral29behavioral30

    • Target

      Setup_x32_x64 (24).exe

    • Size

      6.7MB

    • MD5

      9ed9d2543910e01707fad071b76e52a1

    • SHA1

      95c7867404af5e2d8d93b145dc254816192ab640

    • SHA256

      384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

    • SHA512

      aa51f249f1e443fce520853c2295c88f14bdb57a8714500cfa027fbb11f6fefc3bc901ea91fbdb630b151a098d10ed6536ffd04a545a95957737d714fd18f176

    • SSDEEP

      196608:UBK7xHBATdA8xsvku1c7ZG2SuLgsn2bMlCnahYF7pS0i2:N7rYpIs7ZpL2bM0KM5

    Score
    10/10
    ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotectfabookie

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral2

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanaaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral3

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral4

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral5

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral6

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral7

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral8

ffdroidernullmixerredlinesectopratsocelarscanadomani2discoverydropperevasioninfostealerratspywarestealertrojanupxvmprotect
Score
10/10

behavioral9

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidardomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral10

fabookieffdroidernullmixerredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerratspywarestealertrojanupxvmprotect
Score
10/10

behavioral11

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral12

fabookieffdroidernullmixerredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerratspywarestealertrojanupxvmprotect
Score
10/10

behavioral13

ffdroidernullmixerredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerratspywarestealertrojanupxvmprotect
Score
10/10

behavioral14

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral15

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral16

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral17

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral18

fabookieffdroidernullmixerredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerratspywarestealertrojanupxvmprotect
Score
10/10

behavioral19

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral20

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral21

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral22

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral23

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral24

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral25

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral26

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral27

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral28

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral29

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral30

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral31

ffdroidernullmixerprivateloaderredlinesectopratsocelarsvidarcanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10

behavioral32

fabookieffdroidernullmixerprivateloaderredlinesectopratsocelarscanadomani2aspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupxvmprotect
Score
10/10