General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
241212-wy4dxsvkcp
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Extracted
Protocol: ftp- Host:
ftpcluster.loopia.se - Port:
21 - Username:
srbreferee.com - Password:
luka2005
Extracted
Protocol: ftp- Host:
ftpcluster.loopia.se - Port:
21 - Username:
PRGUpdate - Password:
hokejnaledu
Extracted
redline
TG@CVV88888
185.218.125.157:21441
Extracted
discordrat
-
discord_token
MTMxNTQxMDg0NDg3NTQ4OTI4MA.Gx5ptK.HY1OYsjGMP1MsOoyD2E7T9pCvkfHTdOPozmb_c
-
server_id
1315411300192616569
Extracted
azorult
http://195.245.112.115/index.php
Extracted
xworm
5.0
127.0.0.1:8080
101.99.92.189:8080
educational-reform.gl.at.ply.gg:49922
38.180.203.11:1010
d5gQ6Zf7Tzih1Pi1
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775
https://api.telegram.org/bot8081835502:AAFtGgtMdAzFeWYBpQcGx83fjDR_25zfjK0/sendDocument?chat_id=7538374929&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessag
https://api.telegram.org/bot7105333862:AAE6XaSuAERR5F_VgpAajrgcx8b0mCmMnqM/sendDocumen
https://api.telegram.org/bot7673498966:AAE8RwQQVWIce7zc1tvOHxg7_EravC7Vqis/sendDocument?chat_id=621271611
https://api.telegram.org/bot7678901257:AAENkDGBF25IbXLdzfMeaD-OMDGJWC2_KRQ/sendMessage?chat_id=7813784541
https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403
https://api.telegram.org/bot6144496200:AAG-IIb4TPBPT1INBnZWa7iLZBVaG67I2mE/sendDocument?chat_id=-1001562112668&caption=%3Ccode%3E%0A-%20IP%20Info%20-%0A%0AIP:%20181.215.176.83%0ACountry:%20United%20Kingdom%0ACity:%20London%0APostal:%20SW1%0AISP:%20Cogent%20Communications%20-%20A174%0ATimezone:%20+00:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20Admin%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel%20Core%20Processor%20(Broadwell)%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%20(1280,%20720)%0AHWID:%20Unknown%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\Admin\AppData\Local\Temp\a\888.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20Unknown%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%201%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%207%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0ATelegram:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20%3C/code%3E&parse_mode=HTM
Extracted
lumma
https://infect-crackle.cyou/api
https://covery-mover.biz/api
https://drive-connect.cyou/api
https://tacitglibbr.biz/api
https://immureprech.biz/api
https://deafeninggeh.biz/api
https://wrathful-jammy.cyou/api
https://awake-weaves.cyou/api
https://sordid-snaked.cyou/api
Extracted
quasar
1.4.1
Office04
14.243.221.170:2654
a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd
-
encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Extracted
xworm
193.233.255.106:69
127.0.0.1:58963
login-donor.gl.at.ply.gg:58963
-
Install_directory
%AppData%
-
install_file
System.exe
-
telegram
https://api.telegram.org/bot7678901257:AAENkDGBF25IbXLdzfMeaD-OMDGJWC2_KRQ/sendMessage?chat_id=7813784541
Extracted
phorphiex
http://185.215.113.66/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3ESHude8zUHksQg1h6hHmzY79BS36L91Yn
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
-
mutex
753f85d83d
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
phorphiex
http://185.215.113.84
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Neverlose Loader.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
gurcu
https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403
http://209.38.221.184:8080
http://46.235.26.83:8080
http://147.28.185.29:80
http://206.166.251.4:8080
http://51.159.4.50:8080
http://167.235.70.96:8080
http://194.164.198.113:8080
http://132.145.17.167:9090
https://5.196.181.135:443
http://116.202.101.219:8080
https://185.217.98.121:443
http://185.217.98.121:8080
http://159.203.174.113:8090
http://107.161.20.142:8080
https://192.99.196.191:443
http://65.49.205.24:8080
https://154.9.207.142:443
http://67.230.176.97:8080
http://8.222.143.111:8080
Extracted
vidar
11.3
a21440e9f7223be06be5f5e2f94969c7
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
redline
newbundle2
185.215.113.67:15206
Extracted
redline
14082024
185.215.113.67:21405
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
quasar
1.4.1
RuntimeBroker
Cmaster-57540.portmap.io:57540:8080
7d0b5d0f-c185-4da8-b709-726d2f58400c
-
encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
devtun
Extracted
quasar
1.4.0
svhost
151.177.61.79:4782
a148a6d8-1253-4e62-bc5f-c0242dd62e69
-
encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
-
install_name
svhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
svhost
Extracted
xworm
3.1
camp.zapto.org:7771
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
amadey
5.04
4bee07
http://185.215.113.209
-
install_dir
fc9e0aaab7
-
install_file
defnur.exe
-
strings_key
191655f008adc880f91bfc85bc56db54
-
url_paths
/Fru7Nk9/index.php
Extracted
asyncrat
0.5.8
Default
0.tcp.eu.ngrok.io:15174
aNoM7pvDUvoo
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
44caliber
https://discord.com/api/webhooks/1296494108667416678/ZASeLgYlw4OZSUv8h9jKQd4eY6ktpyF3T4vMXTNf0Ppbac5asKxIs_xZz8YEc__J4qsO
Extracted
stealc
Voov3
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
QQTalk2
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
Voov1
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
QQtalk1
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
Voov
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
Voov2
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
QQtalk
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Targets
-
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Detect Umbral payload
-
Detect Xworm Payload
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Adds policy Run key to start application
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
A potential corporate email address has been identified in the URL: 3SCET_Admin@OFGADUSE_report.wsr
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
4363463463464363463463463.zip
-
Size
4KB
-
MD5
202786d1d9b71c375e6f940e6dd4828a
-
SHA1
7cad95faa33e92aceee3bcc809cd687bda650d74
-
SHA256
45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76
-
SHA512
de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae
-
SSDEEP
96:XBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEw:XBfwncSf8Cv3w9DZjKXjmBIKEvLs97D3
Score1/10 -
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Detects Go variant of Hive Ransomware
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Hive family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload
-
Meduza family
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
A potential corporate email address has been identified in the URL: vtXV0_Admin@YQRLKYON_report.wsr
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
New Text Document mod.exse.zip
-
Size
7KB
-
MD5
a7b1b22096cf2b8b9a0156216871768a
-
SHA1
48acafe87df586a0434459b068d9323d20f904cb
-
SHA256
82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9
-
SHA512
35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f
-
SSDEEP
192:R5ghioVh+82eei8mXvdTghioVh+82eei8mXvK1B:jHWTHWW
Score1/10 -
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score10/10-
44Caliber
An open source infostealer written in C#.
-
44Caliber family
-
Detect Umbral payload
-
Detect Xworm Payload
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Rms family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
New Text Document mod.exse
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score10/10-
44Caliber
An open source infostealer written in C#.
-
44Caliber family
-
Detect Umbral payload
-
Detect Xworm Payload
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Rms family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
3Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
2Clear Windows Event Logs
1File Deletion
1Modify Authentication Process
1Modify Registry
6Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
11Remote System Discovery
1System Information Discovery
9System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
3