fabookie | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Sharing

Copy URL

Twitter E-mail

General

Target

64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03
Size

37.7MB
Sample

241106-w29ecatrhw
MD5

aedf5548afa01555c3de174aa6bfc654
SHA1

237aed5308abc0ebb8940a8418c7c5b65658cb06
SHA256

64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03
SHA512

c3ca677f3e4d9c4aee2c9777dd2da0d4d319c2cc78760c244a45a221d92b955c158279eae8a8a0c12c3d2ab35e575ff5b5292633ff58c24aa7f7860883ecc565
SSDEEP

786432:Cf4pniCMDXQiIewcnRNB5qQGqgAqRf/n09aZK3p1YPndqxd8WiXmNkt5cNlABRge:XlUMcnRNBiIqhf09aZpndqT6Wk74AkOt

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

nullmixer

http://marianu.xyz/

http://wensela.xyz/

http://mooorni.xyz/

http://sayanu.xyz/

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

Chris

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

fucker2

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

gcleaner

gcl-gb.biz

45.9.20.13

Extracted

Family

redline

Botnet

media20

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

media25

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

ChrisNEW

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

pub2

185.215.113.46:80

Attributes

auth_value
4a9525ed658ab62eaade23fdc4f4da23

Targets

- Target
  
  022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
- Size
  
  403KB
- MD5
  
  f957e397e71010885b67f2afe37d8161
- SHA1
  
  a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
- SHA256
  
  022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
- SHA512
  
  8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
- SSDEEP
  
  6144:ilwYPg/USg7WFugaqIv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FLfj:iyYI/7FugaLS2zO
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef
- Size
  
  4.7MB
- MD5
  
  0cc50985a2e8ae4f126dabb4b6a1c2be
- SHA1
  
  4d20dd812a0b2d47f4b9b511538125a1ad5d917c
- SHA256
  
  4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef
- SHA512
  
  9916db8f6dcc3532d3f205d3d96154cdb511ac3b135a874f72f47be251feeedc3a83b9304f132b1e680b48b2d820dd88a2692cc1080baf88be4ffcb45d2cc439
- SSDEEP
  
  98304:J2IB6bn7qZeFMO8++yA9pH2oRp7hRspTbueWyjg74Y2ObUu+Qr157DUgrXft6GT:Jq/8+LAr7OCg9QUuJ7DUgzB
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  setup_installer.exe
- Size
  
  4.6MB
- MD5
  
  06c46fe375c6748c533c881346b684d1
- SHA1
  
  cb488c5b5f58f3adaf360b0721e145f59c110b57
- SHA256
  
  07cf30eb7de3a5626ce499d5efdeba147c3c5bd40686cfc8727b4da7f9ab7d1a
- SHA512
  
  bdf582b78bc5ef135260f7c93119ef315cc08836d9864014951bc6fe919e33ca3184828c70e6ab43b70730bd191a511112a088968abf03bbe4a5e17cb4276443
- SSDEEP
  
  98304:xqCvLUBsgeElUaQvHpeKG5Qd0LW9fH/W5onZQfkRNZiAX:xrLUCgeEljQfsKG5QdbP/W54SMRKAX
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3
- Size
  
  4.6MB
- MD5
  
  4f85f62146d5148f290ff107d4380941
- SHA1
  
  5c513bcc232f36d97c2e893d1c763f3cbbf554ff
- SHA256
  
  578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3
- SHA512
  
  bc4ae4f7101b20ab649ea2a44d5da42875af5068c33c1772960c342cc8731bddfdabd721fb31a49523ea957615252d567a00346035bddacfa58cf97853587594
- SSDEEP
  
  98304:JBw9RoHv20QUG38f+A5SeNU0sDDBKaWFEW07YqoBEstLcU4v1HbQS:J29+e0QJMPLU0s/BKjEW0LALcvbQS
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  setup_installer.exe
- Size
  
  4.6MB
- MD5
  
  d0fbd06f5709db11a8b2449a1b919251
- SHA1
  
  83f4610e15b613668b9ebad734dbc2f8fbefc614
- SHA256
  
  e94188908546b2f00a506d7596d3673b814ab62173967b3d258422877bc56f84
- SHA512
  
  c82970a78fba054ec6e9a962a43ca6fb94ddd3a0d744dd5b9d04a014f541e6da8038497c2ba15403df12600372cb624caf6e672eeac6915f680b062efeae1e8b
- SSDEEP
  
  98304:xACvLUBsg0qq4T7AkqMOPG5730iWJQ/lv5FCknu6zN:x9LUCgfRT7AjMIG573+gB5AknLR
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
- Size
  
  3.6MB
- MD5
  
  9725f7f222530388cb2743504a6e0667
- SHA1
  
  56d0eb91855e326b050c904147f4d9dafc596d70
- SHA256
  
  9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
- SHA512
  
  ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663
- SSDEEP
  
  98304:JUGpqMhmpE+ykGp1GdA+qOt17jqXap8cghXDSMgzS43Y:JUIqMhME2kodb4aKVg6
Score

10^/10

fabookie nullmixer privateloader redline sectoprat chris fucker2 media20 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan gcleaner onlylogger
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  setup_installer.exe
- Size
  
  3.6MB
- MD5
  
  7f612c816e43e7cae4cbed9173244e73
- SHA1
  
  661086e8715248a4bd2b7bc1d92149dd11bbe119
- SHA256
  
  60e9b75ce4e3333d37a1b44348d3f9ae57bbab2130af8d0a44d8a5b09ce9f3bd
- SHA512
  
  24119a2526654c2783a65fbee9f53c104af2d91dafb0ccab9c6d40adecceffdcfddc34231131bff3eb92f64af61e6e4c700f7135df183bbefa42f4987f06761f
- SSDEEP
  
  98304:xnCvLUBsgrwO6kbk+hpPKt6ab8ffbpSb8dMLZXeaX8wH:xELUCgr76kbFdbptcZOc/
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat chris fucker2 media20 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
- Size
  
  4.4MB
- MD5
  
  bfc2137972c74edea0f9791b94486e9b
- SHA1
  
  fd72e52406ce3f2ae5cfdb5dd8c7243f3ce31eb3
- SHA256
  
  a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4
- SHA512
  
  9fcd3756f9888e2000b94caf0d803087497b87428c0bd641901d2e416411bc698d9ca3a7a00d3cd711b681f3c8b8921f2a478f0ec1f975bc36fde5cf16741e75
- SSDEEP
  
  98304:J3y6Uegpc50QDGUFSggME8k3XwPKHPpNJNJ95hJJoSuqgq:J3y6O3R/gt/kHGQLJb9jJJoSuQ
Score

10^/10

nullmixer privateloader redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan gcleaner onlylogger raccoon
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  setup_installer.exe
- Size
  
  4.3MB
- MD5
  
  2395e4afcd27aebfcc3421d1c3e1b88e
- SHA1
  
  acc62ddfc0aeca36c68f684bc189633d77df2da4
- SHA256
  
  ecb5c8cb5411d3c5aa5bc7b5138fe50cb5ded78484fcd5a5c88b56f249d7d1e0
- SHA512
  
  198aacb5ce2c4d314a2935251ebee59131861ea183cef3013c23537702f12c17ba130d49adf18d193f677ae14d40bd2f5557242755c4ba06fa47fd27abcfd5d3
- SSDEEP
  
  98304:xwCvLUBsgI9ui+BpR1okjBuLxhMEKSkibEBRpLgD8yNS71GzP2q:xNLUCgSO1okduLxhMhgguBNC1GCq
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars chris fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0
- Size
  
  3.5MB
- MD5
  
  a75539ada819b941531f116f3d50b13b
- SHA1
  
  942d264f3b0cc866c84114a06be4fa7aeb905b3c
- SHA256
  
  acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0
- SHA512
  
  ee89498995cc1a9a91c754c391082f7e38fa22fee413033b6cb9318a0008baa7e8bfcf2a1c3aebc3fa1c0cbace33c27b8979953868b01dc296c9e01e0c8e3b49
- SSDEEP
  
  98304:Jkjbl4GDCOGbvObxbSbjQPWog6YOwmdl3A:J4eZ6lI8PyOwm33A
Score

10^/10

fabookie nullmixer privateloader redline sectoprat chris fucker2 media20 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  setup_installer.exe
- Size
  
  3.4MB
- MD5
  
  b46fae262aee376a381040944af704da
- SHA1
  
  2f0e50db7dc766696260702d00e891a9b467108c
- SHA256
  
  043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f
- SHA512
  
  2134c503a7abdb773d02d800e909e1372425a6d46cefa30fed8f54f4164190d836a86584de52e972bf619de06420a00e1c1ebc408d2932651e9a3b1978959d69
- SSDEEP
  
  98304:xUCvLUBsg4fyvKcIpMrvwSlDyW6MfVEl5GQUI4HJ:xJLUCg4fyvjIpMrokGgCl8Q/G
Score

10^/10

fabookie nullmixer privateloader redline sectoprat chris fucker2 media20 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2
- Size
  
  5.6MB
- MD5
  
  5802bc4fd763cd759b7875e94f9f2eaf
- SHA1
  
  91eaa6e6f9b5c52a2b91806bfbf513ed336e3f6a
- SHA256
  
  cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2
- SHA512
  
  91f9c64c61456c91e74cad1c8a5f9aca54e44f00612085721c1b2ad8e9305679f3ed562939b0505843c06b619ab8f4818f3a537e33c122a02569cf080d13181a
- SSDEEP
  
  98304:J2TqxAXetUIgeZdS/PxEqEeY5nJws2MTOaSOir1NwzkS6QwtzQFUlTzw:JvwetXgn+kSnSaMrj5S6lTU
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline socelars chrisnew media25 pub2 aspackv2 discovery dropper execution infostealer loader spyware stealer
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  setup_installer.exe
- Size
  
  5.6MB
- MD5
  
  d30d0f507abdbec4488c6a49edacdbe8
- SHA1
  
  4ffe73350cdf75461ce21994b26a7c2b90b721cb
- SHA256
  
  318af6913b0c34dd5183c80569604d8366e052de015aa3f428f89f98dfcec448
- SHA512
  
  1b0c464279ae6a84b47a5e30743c7e005a63c7ff966f94d5c718357273572a32c15deca80f4c58ce86fa5ae66a386ffcd03ace811a3361343e5c2d1eb2724f21
- SSDEEP
  
  98304:x9CvLUBsg9ZBeL2967NOJ7540pStWiWFXEYIt5jY8/lSJn3yN5qfMlBs:xeLUCg9ZBe/mW0ktW8YEYnZoQ0Y
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline socelars chrisnew media25 pub2 aspackv2 discovery dropper execution infostealer loader spyware stealer persistence
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12
- Size
  
  4.6MB
- MD5
  
  c7f1d6db5efddf8b46441be0edfaadfd
- SHA1
  
  e27a2fab7ac49b1709c8d9e0183b020f1be61fc6
- SHA256
  
  db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12
- SHA512
  
  856e4f8a48848b5ddc42af7c282fdbc87df641665c0a0fdb28d5af2b6ac3299d9ae3c9b9d25b145816092abd248df32c9ea4f72ea59217b50460d48fb95ecb9a
- SSDEEP
  
  98304:Jm+QpkVne7h8e/AvYstkHfQztHBZ9FxUpbj+SCw6IEl:Jd5eH/AwsSmHZrxMtCwvEl
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  setup_installer.exe
- Size
  
  4.6MB
- MD5
  
  20866e5b2ccb228d17fd390e107f7a9a
- SHA1
  
  1dea55f53287e2845207396f6ff5a7f99fef61ab
- SHA256
  
  5aa8a219a096bcf847a56a8066721257823414a098cdcdfeb39b9bd07bb0776e
- SHA512
  
  3e325fdbfe4790785301ebcf61c690a81de61513c6c5f9252a20c6ba4511ad7837a995a335d8d621608e3fe63449f95c99d203cf7bb65a9ae8b91537a15ec067
- SSDEEP
  
  98304:xTCvLUBsgNM7Q0c9tXeV1+ISI3TqtjfA73hiLpLzDRvL:xoLUCg30cCPTNTy8Th4DFL
Score

10^/10

gcleaner nullmixer onlylogger privateloader raccoon redline sectoprat socelars fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6
- Size
  
  834KB
- MD5
  
  2c25a0926e5228d2205b3b8c8ef4d7f4
- SHA1
  
  5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409
- SHA256
  
  e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6
- SHA512
  
  cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468
- SSDEEP
  
  12288:4EcVL8O4jrAi/X+tuuGK9p3ZWil37Nf5AcXbm8CETY2HhC9nxhnKQqsft+yOY:MLlgAi3dwp3YixJxAsCEhCAQqs0y9
Score

10^/10

pseudomanuscrypt discovery loader
- Detects PseudoManuscrypt payload
  loader
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- Pseudomanuscrypt family
  pseudomanuscrypt
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Suspicious use of SetThreadContext
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Legitimate hosting services abused for malware hosting/C2

GCleaner

Gcleaner family

NullMixer

Nullmixer family

OnlyLogger

Onlylogger family

PrivateLoader

Privateloader family

Raccoon

Raccoon Stealer V1 payload

Raccoon family

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Socelars

Socelars family

Socelars payload

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Checks installed software on the system

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Suspicious use of SetThreadContext

GCleaner

Gcleaner family

NullMixer

Nullmixer family

OnlyLogger

Onlylogger family

PrivateLoader

Privateloader family

Raccoon

Raccoon Stealer V1 payload

Raccoon family

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Socelars

Socelars family

Socelars payload

OnlyLogger payload

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Checks installed software on the system

Drops Chrome extension