1.3.setup_installer.exe.31a1c46.7.raw.unpack | JoeSecurity_PrivateLoader | Yara detected PrivateLoader | Joe Security | |
29.2.Mon179e1058f256.exe.5c50000.8.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50000.8.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50000.8.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x13c51:$a4: get_ScannedWallets
- 0x13739:$a5: get_ScanTelegram
- 0x1380d:$a6: get_ScanGeckoBrowsersPaths
- 0x13960:$a7: <Processes>k__BackingField
- 0x12b8f:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x1355a:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.5c50000.8.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x13500:$u7: RunPE
- 0x13506:$u8: DownloadAndEx
- 0x1b042:$pat14: , CommandLine:
- 0x12aa3:$v2_1: ListOfProcesses
- 0x136a5:$v2_2: get_ScanBrowsers
- 0x136e3:$v2_2: get_ScanFTP
- 0x136fb:$v2_2: get_ScanWallets
- 0x1371b:$v2_2: get_ScanScreen
- 0x13739:$v2_2: get_ScanTelegram
- 0x1375b:$v2_2: get_ScanVPN
- 0x13773:$v2_2: get_ScanSteam
- 0x1378f:$v2_2: get_ScanDiscord
- 0x137d5:$v2_2: get_ScanChromeBrowsersPaths
- 0x1380d:$v2_2: get_ScanGeckoBrowsersPaths
- 0x13c51:$v2_2: get_ScannedWallets
- 0x12de4:$v2_3: GetArguments
- 0x12fc9:$v2_4: VerifyUpdate
- 0x12df1:$v2_5: VerifyScanRequest
- 0x12fbe:$v2_6: GetUpdates
- 0x18e30:$v2_6: GetUpdates
- 0x10eb1:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.5c50000.8.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13049:$v1_2: <BrowserProfile>k__
- 0x1397b:$v1_3: <SystemHardwares>k__
- 0x14526:$v1_4: <geoplugin_request>k__
- 0x13a3a:$v1_5: <ScannedWallets>k__
- 0x13aca:$v1_6: <DicrFiles>k__
- 0x13aa6:$v1_7: <MessageClientFiles>k__
- 0x13521:$v1_8: <ScanBrowsers>k__BackingField
- 0x13573:$v1_8: <ScanWallets>k__BackingField
- 0x13590:$v1_8: <ScanScreen>k__BackingField
- 0x135ca:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.400000.0.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x1300:$s3: 83 EC 38 53 B0 C0 88 44 24 2B 88 44 24 2F B0 C3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1fdd0:$s5: delete[]
- 0x1f288:$s6: constructor or from DllMain.
|
29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x14b69:$a4: get_ScannedWallets
- 0x14651:$a5: get_ScanTelegram
- 0x14725:$a6: get_ScanGeckoBrowsersPaths
- 0x14878:$a7: <Processes>k__BackingField
- 0x13aa7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x14472:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x14418:$u7: RunPE
- 0x1441e:$u8: DownloadAndEx
- 0x1bf5a:$pat14: , CommandLine:
- 0x139bb:$v2_1: ListOfProcesses
- 0x145bd:$v2_2: get_ScanBrowsers
- 0x145fb:$v2_2: get_ScanFTP
- 0x14613:$v2_2: get_ScanWallets
- 0x14633:$v2_2: get_ScanScreen
- 0x14651:$v2_2: get_ScanTelegram
- 0x14673:$v2_2: get_ScanVPN
- 0x1468b:$v2_2: get_ScanSteam
- 0x146a7:$v2_2: get_ScanDiscord
- 0x146ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x14725:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14b69:$v2_2: get_ScannedWallets
- 0x13cfc:$v2_3: GetArguments
- 0x13ee1:$v2_4: VerifyUpdate
- 0x13d09:$v2_5: VerifyScanRequest
- 0x13ed6:$v2_6: GetUpdates
- 0x19d48:$v2_6: GetUpdates
- 0x11dc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.47f3790.6.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13f61:$v1_2: <BrowserProfile>k__
- 0x14893:$v1_3: <SystemHardwares>k__
- 0x1543e:$v1_4: <geoplugin_request>k__
- 0x14952:$v1_5: <ScannedWallets>k__
- 0x149e2:$v1_6: <DicrFiles>k__
- 0x149be:$v1_7: <MessageClientFiles>k__
- 0x14439:$v1_8: <ScanBrowsers>k__BackingField
- 0x1448b:$v1_8: <ScanWallets>k__BackingField
- 0x144a8:$v1_8: <ScanScreen>k__BackingField
- 0x144e2:$v1_8: <ScanVPN>k__BackingField
|
22.0.Mon178817e243.exe.e60000.0.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
22.0.Mon178817e243.exe.e60000.0.unpack | MALWARE_Win_DLInjector04 | Detects downloader / injector | ditekSHen | - 0xbc2:$s1: Runner
- 0xc54:$s2: DownloadPayload
- 0xc64:$s3: RunOnStartup
- 0xbd6:$a1: Antis
- 0xc03:$a2: antiVM
- 0xc0a:$a3: antiSandbox
- 0xc16:$a4: antiDebug
- 0xc20:$a5: antiEmulator
- 0xc2d:$a6: enablePersistence
- 0xc3f:$a7: enableFakeError
- 0xc7f:$a8: DetectVirtualMachine
- 0xca4:$a9: DetectSandboxie
- 0xccf:$a10: DetectDebugger
- 0xcde:$a11: CheckEmulator
|
29.3.Mon179e1058f256.exe.18a9250.1.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.3.Mon179e1058f256.exe.18a9250.1.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.3.Mon179e1058f256.exe.18a9250.1.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x12d69:$a4: get_ScannedWallets
- 0x12851:$a5: get_ScanTelegram
- 0x12925:$a6: get_ScanGeckoBrowsersPaths
- 0x12a78:$a7: <Processes>k__BackingField
- 0x11ca7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x12672:$a9: <ScanFTP>k__BackingField
|
29.3.Mon179e1058f256.exe.18a9250.1.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x12618:$u7: RunPE
- 0x1261e:$u8: DownloadAndEx
- 0x1a15a:$pat14: , CommandLine:
- 0x11bbb:$v2_1: ListOfProcesses
- 0x127bd:$v2_2: get_ScanBrowsers
- 0x127fb:$v2_2: get_ScanFTP
- 0x12813:$v2_2: get_ScanWallets
- 0x12833:$v2_2: get_ScanScreen
- 0x12851:$v2_2: get_ScanTelegram
- 0x12873:$v2_2: get_ScanVPN
- 0x1288b:$v2_2: get_ScanSteam
- 0x128a7:$v2_2: get_ScanDiscord
- 0x128ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x12925:$v2_2: get_ScanGeckoBrowsersPaths
- 0x12d69:$v2_2: get_ScannedWallets
- 0x11efc:$v2_3: GetArguments
- 0x120e1:$v2_4: VerifyUpdate
- 0x11f09:$v2_5: VerifyScanRequest
- 0x120d6:$v2_6: GetUpdates
- 0x17f48:$v2_6: GetUpdates
- 0xffc9:$v4_3: base64str
|
29.3.Mon179e1058f256.exe.18a9250.1.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x12161:$v1_2: <BrowserProfile>k__
- 0x12a93:$v1_3: <SystemHardwares>k__
- 0x1363e:$v1_4: <geoplugin_request>k__
- 0x12b52:$v1_5: <ScannedWallets>k__
- 0x12be2:$v1_6: <DicrFiles>k__
- 0x12bbe:$v1_7: <MessageClientFiles>k__
- 0x12639:$v1_8: <ScanBrowsers>k__BackingField
- 0x1268b:$v1_8: <ScanWallets>k__BackingField
- 0x126a8:$v1_8: <ScanScreen>k__BackingField
- 0x126e2:$v1_8: <ScanVPN>k__BackingField
|
1.3.setup_installer.exe.31a1c46.7.unpack | JoeSecurity_PrivateLoader | Yara detected PrivateLoader | Joe Security | |
29.2.Mon179e1058f256.exe.47d6458.5.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d6458.5.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d6458.5.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x12d69:$a4: get_ScannedWallets
- 0x12851:$a5: get_ScanTelegram
- 0x12925:$a6: get_ScanGeckoBrowsersPaths
- 0x12a78:$a7: <Processes>k__BackingField
- 0x11ca7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x12672:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.47d6458.5.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x12618:$u7: RunPE
- 0x1261e:$u8: DownloadAndEx
- 0x1a15a:$pat14: , CommandLine:
- 0x11bbb:$v2_1: ListOfProcesses
- 0x127bd:$v2_2: get_ScanBrowsers
- 0x127fb:$v2_2: get_ScanFTP
- 0x12813:$v2_2: get_ScanWallets
- 0x12833:$v2_2: get_ScanScreen
- 0x12851:$v2_2: get_ScanTelegram
- 0x12873:$v2_2: get_ScanVPN
- 0x1288b:$v2_2: get_ScanSteam
- 0x128a7:$v2_2: get_ScanDiscord
- 0x128ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x12925:$v2_2: get_ScanGeckoBrowsersPaths
- 0x12d69:$v2_2: get_ScannedWallets
- 0x11efc:$v2_3: GetArguments
- 0x120e1:$v2_4: VerifyUpdate
- 0x11f09:$v2_5: VerifyScanRequest
- 0x120d6:$v2_6: GetUpdates
- 0x17f48:$v2_6: GetUpdates
- 0xffc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.47d6458.5.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x12161:$v1_2: <BrowserProfile>k__
- 0x12a93:$v1_3: <SystemHardwares>k__
- 0x1363e:$v1_4: <geoplugin_request>k__
- 0x12b52:$v1_5: <ScannedWallets>k__
- 0x12be2:$v1_6: <DicrFiles>k__
- 0x12bbe:$v1_7: <MessageClientFiles>k__
- 0x12639:$v1_8: <ScanBrowsers>k__BackingField
- 0x1268b:$v1_8: <ScanWallets>k__BackingField
- 0x126a8:$v1_8: <ScanScreen>k__BackingField
- 0x126e2:$v1_8: <ScanVPN>k__BackingField
|
23.0.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack | JoeSecurity_PrivateLoader | Yara detected PrivateLoader | Joe Security | |
29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x14b69:$a4: get_ScannedWallets
- 0x14651:$a5: get_ScanTelegram
- 0x14725:$a6: get_ScanGeckoBrowsersPaths
- 0x14878:$a7: <Processes>k__BackingField
- 0x13aa7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x14472:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x14418:$u7: RunPE
- 0x1441e:$u8: DownloadAndEx
- 0x1bf5a:$pat14: , CommandLine:
- 0x139bb:$v2_1: ListOfProcesses
- 0x145bd:$v2_2: get_ScanBrowsers
- 0x145fb:$v2_2: get_ScanFTP
- 0x14613:$v2_2: get_ScanWallets
- 0x14633:$v2_2: get_ScanScreen
- 0x14651:$v2_2: get_ScanTelegram
- 0x14673:$v2_2: get_ScanVPN
- 0x1468b:$v2_2: get_ScanSteam
- 0x146a7:$v2_2: get_ScanDiscord
- 0x146ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x14725:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14b69:$v2_2: get_ScannedWallets
- 0x13cfc:$v2_3: GetArguments
- 0x13ee1:$v2_4: VerifyUpdate
- 0x13d09:$v2_5: VerifyScanRequest
- 0x13ed6:$v2_6: GetUpdates
- 0x19d48:$v2_6: GetUpdates
- 0x11dc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.352d6c6.2.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13f61:$v1_2: <BrowserProfile>k__
- 0x14893:$v1_3: <SystemHardwares>k__
- 0x1543e:$v1_4: <geoplugin_request>k__
- 0x14952:$v1_5: <ScannedWallets>k__
- 0x149e2:$v1_6: <DicrFiles>k__
- 0x149be:$v1_7: <MessageClientFiles>k__
- 0x14439:$v1_8: <ScanBrowsers>k__BackingField
- 0x1448b:$v1_8: <ScanWallets>k__BackingField
- 0x144a8:$v1_8: <ScanScreen>k__BackingField
- 0x144e2:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.352d6c6.2.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352d6c6.2.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352d6c6.2.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x12d69:$a4: get_ScannedWallets
- 0x12851:$a5: get_ScanTelegram
- 0x12925:$a6: get_ScanGeckoBrowsersPaths
- 0x12a78:$a7: <Processes>k__BackingField
- 0x11ca7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x12672:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.352d6c6.2.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x12618:$u7: RunPE
- 0x1261e:$u8: DownloadAndEx
- 0x1a15a:$pat14: , CommandLine:
- 0x11bbb:$v2_1: ListOfProcesses
- 0x127bd:$v2_2: get_ScanBrowsers
- 0x127fb:$v2_2: get_ScanFTP
- 0x12813:$v2_2: get_ScanWallets
- 0x12833:$v2_2: get_ScanScreen
- 0x12851:$v2_2: get_ScanTelegram
- 0x12873:$v2_2: get_ScanVPN
- 0x1288b:$v2_2: get_ScanSteam
- 0x128a7:$v2_2: get_ScanDiscord
- 0x128ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x12925:$v2_2: get_ScanGeckoBrowsersPaths
- 0x12d69:$v2_2: get_ScannedWallets
- 0x11efc:$v2_3: GetArguments
- 0x120e1:$v2_4: VerifyUpdate
- 0x11f09:$v2_5: VerifyScanRequest
- 0x120d6:$v2_6: GetUpdates
- 0x17f48:$v2_6: GetUpdates
- 0xffc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.352d6c6.2.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x12161:$v1_2: <BrowserProfile>k__
- 0x12a93:$v1_3: <SystemHardwares>k__
- 0x1363e:$v1_4: <geoplugin_request>k__
- 0x12b52:$v1_5: <ScannedWallets>k__
- 0x12be2:$v1_6: <DicrFiles>k__
- 0x12bbe:$v1_7: <MessageClientFiles>k__
- 0x12639:$v1_8: <ScanBrowsers>k__BackingField
- 0x1268b:$v1_8: <ScanWallets>k__BackingField
- 0x126a8:$v1_8: <ScanScreen>k__BackingField
- 0x126e2:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x14b69:$a4: get_ScannedWallets
- 0x14651:$a5: get_ScanTelegram
- 0x14725:$a6: get_ScanGeckoBrowsersPaths
- 0x14878:$a7: <Processes>k__BackingField
- 0x13aa7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x14472:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x14418:$u7: RunPE
- 0x1441e:$u8: DownloadAndEx
- 0x1bf5a:$pat14: , CommandLine:
- 0x139bb:$v2_1: ListOfProcesses
- 0x145bd:$v2_2: get_ScanBrowsers
- 0x145fb:$v2_2: get_ScanFTP
- 0x14613:$v2_2: get_ScanWallets
- 0x14633:$v2_2: get_ScanScreen
- 0x14651:$v2_2: get_ScanTelegram
- 0x14673:$v2_2: get_ScanVPN
- 0x1468b:$v2_2: get_ScanSteam
- 0x146a7:$v2_2: get_ScanDiscord
- 0x146ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x14725:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14b69:$v2_2: get_ScannedWallets
- 0x13cfc:$v2_3: GetArguments
- 0x13ee1:$v2_4: VerifyUpdate
- 0x13d09:$v2_5: VerifyScanRequest
- 0x13ed6:$v2_6: GetUpdates
- 0x19d48:$v2_6: GetUpdates
- 0x11dc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.5c50ee8.7.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13f61:$v1_2: <BrowserProfile>k__
- 0x14893:$v1_3: <SystemHardwares>k__
- 0x1543e:$v1_4: <geoplugin_request>k__
- 0x14952:$v1_5: <ScannedWallets>k__
- 0x149e2:$v1_6: <DicrFiles>k__
- 0x149be:$v1_7: <MessageClientFiles>k__
- 0x14439:$v1_8: <ScanBrowsers>k__BackingField
- 0x1448b:$v1_8: <ScanWallets>k__BackingField
- 0x144a8:$v1_8: <ScanScreen>k__BackingField
- 0x144e2:$v1_8: <ScanVPN>k__BackingField
|
26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack | JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | |
26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack | JoeSecurity_onlyLogger | Yara detected onlyLogger | Joe Security | |
26.2.Mon1785436ae78.exe.17e0e50.1.raw.unpack | MALWARE_Win_OnlyLogger | Detects OnlyLogger loader variants | ditekSHen | - 0x3e484:$s1: 45 6C 65 76 61 74 65 64 00 00 00 00 4E 4F 54 20 65 6C 65 76 61 74 65 64
- 0x3ea9c:$s2: " /f & erase "
- 0x3eaac:$s3: /c taskkill /im "
- 0x3e88c:$s4: KILLME
- 0x3eac0:$s5: C:\Windows\System32\cmd.exe
- 0x3e57d:$gn: .php?pub=
- 0x3e59f:$gn: .php?pub=
- 0x3e866:$gn: .php?pub=
- 0x3e876:$gn: .php?pub=
- 0x3e8cc:$gn: .php?pub=
- 0x3e5ac:$ip: /1SbGr7
- 0x3e5b4:$ip: /1S3Jr7
- 0x3e5bc:$ip: /1SVGr7
- 0x3e5c4:$ip: /1SDGr7
- 0x3e5cc:$ip: /1SXGr7
- 0x3e5d4:$ip: /1RGrt7
- 0x3e5dc:$ip: /1B6de7
- 0x3e5ec:$ip: /1B8de7
- 0x3e5f8:$ip: /1B9de7
- 0x3e604:$ip: /1exB47
- 0x3e614:$ip: /1ecB47
|
29.2.Mon179e1058f256.exe.352c7de.3.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352c7de.3.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352c7de.3.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x13c51:$a4: get_ScannedWallets
- 0x13739:$a5: get_ScanTelegram
- 0x1380d:$a6: get_ScanGeckoBrowsersPaths
- 0x13960:$a7: <Processes>k__BackingField
- 0x12b8f:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x1355a:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.352c7de.3.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x13500:$u7: RunPE
- 0x13506:$u8: DownloadAndEx
- 0x1b042:$pat14: , CommandLine:
- 0x12aa3:$v2_1: ListOfProcesses
- 0x136a5:$v2_2: get_ScanBrowsers
- 0x136e3:$v2_2: get_ScanFTP
- 0x136fb:$v2_2: get_ScanWallets
- 0x1371b:$v2_2: get_ScanScreen
- 0x13739:$v2_2: get_ScanTelegram
- 0x1375b:$v2_2: get_ScanVPN
- 0x13773:$v2_2: get_ScanSteam
- 0x1378f:$v2_2: get_ScanDiscord
- 0x137d5:$v2_2: get_ScanChromeBrowsersPaths
- 0x1380d:$v2_2: get_ScanGeckoBrowsersPaths
- 0x13c51:$v2_2: get_ScannedWallets
- 0x12de4:$v2_3: GetArguments
- 0x12fc9:$v2_4: VerifyUpdate
- 0x12df1:$v2_5: VerifyScanRequest
- 0x12fbe:$v2_6: GetUpdates
- 0x18e30:$v2_6: GetUpdates
- 0x10eb1:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.352c7de.3.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13049:$v1_2: <BrowserProfile>k__
- 0x1397b:$v1_3: <SystemHardwares>k__
- 0x14526:$v1_4: <geoplugin_request>k__
- 0x13a3a:$v1_5: <ScannedWallets>k__
- 0x13aca:$v1_6: <DicrFiles>k__
- 0x13aa6:$v1_7: <MessageClientFiles>k__
- 0x13521:$v1_8: <ScanBrowsers>k__BackingField
- 0x13573:$v1_8: <ScanWallets>k__BackingField
- 0x13590:$v1_8: <ScanScreen>k__BackingField
- 0x135ca:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.6390000.9.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.6390000.9.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.6390000.9.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x14b69:$a4: get_ScannedWallets
- 0x14651:$a5: get_ScanTelegram
- 0x14725:$a6: get_ScanGeckoBrowsersPaths
- 0x14878:$a7: <Processes>k__BackingField
- 0x13aa7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x14472:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.6390000.9.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x14418:$u7: RunPE
- 0x1441e:$u8: DownloadAndEx
- 0x1bf5a:$pat14: , CommandLine:
- 0x139bb:$v2_1: ListOfProcesses
- 0x145bd:$v2_2: get_ScanBrowsers
- 0x145fb:$v2_2: get_ScanFTP
- 0x14613:$v2_2: get_ScanWallets
- 0x14633:$v2_2: get_ScanScreen
- 0x14651:$v2_2: get_ScanTelegram
- 0x14673:$v2_2: get_ScanVPN
- 0x1468b:$v2_2: get_ScanSteam
- 0x146a7:$v2_2: get_ScanDiscord
- 0x146ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x14725:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14b69:$v2_2: get_ScannedWallets
- 0x13cfc:$v2_3: GetArguments
- 0x13ee1:$v2_4: VerifyUpdate
- 0x13d09:$v2_5: VerifyScanRequest
- 0x13ed6:$v2_6: GetUpdates
- 0x19d48:$v2_6: GetUpdates
- 0x11dc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.6390000.9.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13f61:$v1_2: <BrowserProfile>k__
- 0x14893:$v1_3: <SystemHardwares>k__
- 0x1543e:$v1_4: <geoplugin_request>k__
- 0x14952:$v1_5: <ScannedWallets>k__
- 0x149e2:$v1_6: <DicrFiles>k__
- 0x149be:$v1_7: <MessageClientFiles>k__
- 0x14439:$v1_8: <ScanBrowsers>k__BackingField
- 0x1448b:$v1_8: <ScanWallets>k__BackingField
- 0x144a8:$v1_8: <ScanScreen>k__BackingField
- 0x144e2:$v1_8: <ScanVPN>k__BackingField
|
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x1a000:$a3: Software\Valve\SteamLogin Data
- 0x14d2f:$a4: get_ScannedWallets
- 0x1377c:$a5: get_ScanTelegram
- 0x14861:$a6: get_ScanGeckoBrowsersPaths
- 0x1213d:$a7: <Processes>k__BackingField
- 0x10097:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x11a4f:$a9: <ScanFTP>k__BackingField
|
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack | Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown | - 0x15452:$a1: get_encrypted_key
- 0x147cc:$a2: get_PassedPaths
- 0x12af6:$a3: ChromeGetLocalName
- 0x14c6a:$a4: GetBrowsers
- 0x1a000:$a5: Software\Valve\SteamLogin Data
- 0x19808:$a6: %appdata%\
- 0x1427d:$a7: ScanPasswords
|
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1150d:$u7: RunPE
- 0x15336:$u8: DownloadAndEx
- 0x1ae28:$pat14: , CommandLine:
- 0x1463c:$v2_1: ListOfProcesses
- 0x1172e:$v2_2: get_ScanVPN
- 0x117ee:$v2_2: get_ScanFTP
- 0x12559:$v2_2: get_ScanDiscord
- 0x13760:$v2_2: get_ScanSteam
- 0x1377c:$v2_2: get_ScanTelegram
- 0x13839:$v2_2: get_ScanScreen
- 0x14829:$v2_2: get_ScanChromeBrowsersPaths
- 0x14861:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14c36:$v2_2: get_ScanBrowsers
- 0x14d2f:$v2_2: get_ScannedWallets
- 0x14d88:$v2_2: get_ScanWallets
- 0x14da8:$v2_3: GetArguments
- 0x12e8b:$v2_4: VerifyUpdate
- 0x1517b:$v2_5: VerifyScanRequest
- 0x146b7:$v2_6: GetUpdates
- 0x1894f:$v2_6: GetUpdates
- 0x141f8:$v4_3: base64str
|
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x11be3:$v1_2: <BrowserProfile>k__
- 0x120e8:$v1_3: <SystemHardwares>k__
- 0x123ed:$v1_4: <geoplugin_request>k__
- 0x12360:$v1_5: <ScannedWallets>k__
- 0x12086:$v1_6: <DicrFiles>k__
- 0x120c4:$v1_7: <MessageClientFiles>k__
- 0x11a22:$v1_8: <ScanVPN>k__BackingField
- 0x11dd0:$v1_8: <ScanScreen>k__BackingField
- 0x12322:$v1_8: <ScanBrowsers>k__BackingField
- 0x12380:$v1_8: <ScanWallets>k__BackingField
|
26.3.Mon1785436ae78.exe.1880000.0.raw.unpack | JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | |
26.3.Mon1785436ae78.exe.1880000.0.raw.unpack | JoeSecurity_onlyLogger | Yara detected onlyLogger | Joe Security | |
26.3.Mon1785436ae78.exe.1880000.0.raw.unpack | MALWARE_Win_OnlyLogger | Detects OnlyLogger loader variants | ditekSHen | - 0x3e484:$s1: 45 6C 65 76 61 74 65 64 00 00 00 00 4E 4F 54 20 65 6C 65 76 61 74 65 64
- 0x3ea9c:$s2: " /f & erase "
- 0x3eaac:$s3: /c taskkill /im "
- 0x3e88c:$s4: KILLME
- 0x3eac0:$s5: C:\Windows\System32\cmd.exe
- 0x3e57d:$gn: .php?pub=
- 0x3e59f:$gn: .php?pub=
- 0x3e866:$gn: .php?pub=
- 0x3e876:$gn: .php?pub=
- 0x3e8cc:$gn: .php?pub=
- 0x3e5ac:$ip: /1SbGr7
- 0x3e5b4:$ip: /1S3Jr7
- 0x3e5bc:$ip: /1SVGr7
- 0x3e5c4:$ip: /1SDGr7
- 0x3e5cc:$ip: /1SXGr7
- 0x3e5d4:$ip: /1RGrt7
- 0x3e5dc:$ip: /1B6de7
- 0x3e5ec:$ip: /1B8de7
- 0x3e5f8:$ip: /1B9de7
- 0x3e604:$ip: /1exB47
- 0x3e614:$ip: /1ecB47
|
23.2.Mon17b5f403be4d8d6b.exe.9c0000.0.unpack | JoeSecurity_PrivateLoader | Yara detected PrivateLoader | Joe Security | |
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x18400:$a3: Software\Valve\SteamLogin Data
- 0x1312f:$a4: get_ScannedWallets
- 0x11b7c:$a5: get_ScanTelegram
- 0x12c61:$a6: get_ScanGeckoBrowsersPaths
- 0x1053d:$a7: <Processes>k__BackingField
- 0xe497:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0xfe4f:$a9: <ScanFTP>k__BackingField
|
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack | Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown | - 0x13852:$a1: get_encrypted_key
- 0x12bcc:$a2: get_PassedPaths
- 0x10ef6:$a3: ChromeGetLocalName
- 0x1306a:$a4: GetBrowsers
- 0x18400:$a5: Software\Valve\SteamLogin Data
- 0x17c08:$a6: %appdata%\
- 0x1267d:$a7: ScanPasswords
|
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0xf90d:$u7: RunPE
- 0x13736:$u8: DownloadAndEx
- 0x19228:$pat14: , CommandLine:
- 0x12a3c:$v2_1: ListOfProcesses
- 0xfb2e:$v2_2: get_ScanVPN
- 0xfbee:$v2_2: get_ScanFTP
- 0x10959:$v2_2: get_ScanDiscord
- 0x11b60:$v2_2: get_ScanSteam
- 0x11b7c:$v2_2: get_ScanTelegram
- 0x11c39:$v2_2: get_ScanScreen
- 0x12c29:$v2_2: get_ScanChromeBrowsersPaths
- 0x12c61:$v2_2: get_ScanGeckoBrowsersPaths
- 0x13036:$v2_2: get_ScanBrowsers
- 0x1312f:$v2_2: get_ScannedWallets
- 0x13188:$v2_2: get_ScanWallets
- 0x131a8:$v2_3: GetArguments
- 0x1128b:$v2_4: VerifyUpdate
- 0x1357b:$v2_5: VerifyScanRequest
- 0x12ab7:$v2_6: GetUpdates
- 0x16d4f:$v2_6: GetUpdates
- 0x125f8:$v4_3: base64str
|
14.2.Mon17eac6d534bfd22c7.exe.40a56c8.0.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0xffe3:$v1_2: <BrowserProfile>k__
- 0x104e8:$v1_3: <SystemHardwares>k__
- 0x107ed:$v1_4: <geoplugin_request>k__
- 0x10760:$v1_5: <ScannedWallets>k__
- 0x10486:$v1_6: <DicrFiles>k__
- 0x104c4:$v1_7: <MessageClientFiles>k__
- 0xfe22:$v1_8: <ScanVPN>k__BackingField
- 0x101d0:$v1_8: <ScanScreen>k__BackingField
- 0x10722:$v1_8: <ScanBrowsers>k__BackingField
- 0x10780:$v1_8: <ScanWallets>k__BackingField
|
26.3.Mon1785436ae78.exe.1880000.0.unpack | JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | |
26.3.Mon1785436ae78.exe.1880000.0.unpack | JoeSecurity_onlyLogger | Yara detected onlyLogger | Joe Security | |
26.3.Mon1785436ae78.exe.1880000.0.unpack | MALWARE_Win_OnlyLogger | Detects OnlyLogger loader variants | ditekSHen | - 0x3d084:$s1: 45 6C 65 76 61 74 65 64 00 00 00 00 4E 4F 54 20 65 6C 65 76 61 74 65 64
- 0x3d69c:$s2: " /f & erase "
- 0x3d6ac:$s3: /c taskkill /im "
- 0x3d48c:$s4: KILLME
- 0x3d6c0:$s5: C:\Windows\System32\cmd.exe
- 0x3d17d:$gn: .php?pub=
- 0x3d19f:$gn: .php?pub=
- 0x3d466:$gn: .php?pub=
- 0x3d476:$gn: .php?pub=
- 0x3d4cc:$gn: .php?pub=
- 0x3d1ac:$ip: /1SbGr7
- 0x3d1b4:$ip: /1S3Jr7
- 0x3d1bc:$ip: /1SVGr7
- 0x3d1c4:$ip: /1SDGr7
- 0x3d1cc:$ip: /1SXGr7
- 0x3d1d4:$ip: /1RGrt7
- 0x3d1dc:$ip: /1B6de7
- 0x3d1ec:$ip: /1B8de7
- 0x3d1f8:$ip: /1B9de7
- 0x3d204:$ip: /1exB47
- 0x3d214:$ip: /1ecB47
|
29.2.Mon179e1058f256.exe.47f3790.6.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47f3790.6.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47f3790.6.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x12d69:$a4: get_ScannedWallets
- 0x12851:$a5: get_ScanTelegram
- 0x12925:$a6: get_ScanGeckoBrowsersPaths
- 0x12a78:$a7: <Processes>k__BackingField
- 0x11ca7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x12672:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.47f3790.6.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x12618:$u7: RunPE
- 0x1261e:$u8: DownloadAndEx
- 0x1a15a:$pat14: , CommandLine:
- 0x11bbb:$v2_1: ListOfProcesses
- 0x127bd:$v2_2: get_ScanBrowsers
- 0x127fb:$v2_2: get_ScanFTP
- 0x12813:$v2_2: get_ScanWallets
- 0x12833:$v2_2: get_ScanScreen
- 0x12851:$v2_2: get_ScanTelegram
- 0x12873:$v2_2: get_ScanVPN
- 0x1288b:$v2_2: get_ScanSteam
- 0x128a7:$v2_2: get_ScanDiscord
- 0x128ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x12925:$v2_2: get_ScanGeckoBrowsersPaths
- 0x12d69:$v2_2: get_ScannedWallets
- 0x11efc:$v2_3: GetArguments
- 0x120e1:$v2_4: VerifyUpdate
- 0x11f09:$v2_5: VerifyScanRequest
- 0x120d6:$v2_6: GetUpdates
- 0x17f48:$v2_6: GetUpdates
- 0xffc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.47f3790.6.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x12161:$v1_2: <BrowserProfile>k__
- 0x12a93:$v1_3: <SystemHardwares>k__
- 0x1363e:$v1_4: <geoplugin_request>k__
- 0x12b52:$v1_5: <ScannedWallets>k__
- 0x12be2:$v1_6: <DicrFiles>k__
- 0x12bbe:$v1_7: <MessageClientFiles>k__
- 0x12639:$v1_8: <ScanBrowsers>k__BackingField
- 0x1268b:$v1_8: <ScanWallets>k__BackingField
- 0x126a8:$v1_8: <ScanScreen>k__BackingField
- 0x126e2:$v1_8: <ScanVPN>k__BackingField
|
25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x1a004:$a3: Software\Valve\SteamLogin Data
- 0x14d2f:$a4: get_ScannedWallets
- 0x1377c:$a5: get_ScanTelegram
- 0x14859:$a6: get_ScanGeckoBrowsersPaths
- 0x1213d:$a7: <Processes>k__BackingField
- 0x10097:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x11a4f:$a9: <ScanFTP>k__BackingField
|
25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack | Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown | - 0x15452:$a1: get_encrypted_key
- 0x147c4:$a2: get_PassedPaths
- 0x12af6:$a3: ChromeGetLocalName
- 0x14c6a:$a4: GetBrowsers
- 0x1a004:$a5: Software\Valve\SteamLogin Data
- 0x1980c:$a6: %appdata%\
- 0x14275:$a7: ScanPasswords
|
25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1150d:$u7: RunPE
- 0x15336:$u8: DownloadAndEx
- 0x1ae2c:$pat14: , CommandLine:
- 0x14634:$v2_1: ListOfProcesses
- 0x1172e:$v2_2: get_ScanVPN
- 0x117ee:$v2_2: get_ScanFTP
- 0x12559:$v2_2: get_ScanDiscord
- 0x13760:$v2_2: get_ScanSteam
- 0x1377c:$v2_2: get_ScanTelegram
- 0x13839:$v2_2: get_ScanScreen
- 0x14821:$v2_2: get_ScanChromeBrowsersPaths
- 0x14859:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14c36:$v2_2: get_ScanBrowsers
- 0x14d2f:$v2_2: get_ScannedWallets
- 0x14d88:$v2_2: get_ScanWallets
- 0x14da8:$v2_3: GetArguments
- 0x12e8b:$v2_4: VerifyUpdate
- 0x1517b:$v2_5: VerifyScanRequest
- 0x146af:$v2_6: GetUpdates
- 0x18953:$v2_6: GetUpdates
- 0x141f0:$v4_3: base64str
|
25.2.Mon17948100733a95c58.exe.39d5068.0.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x11be3:$v1_2: <BrowserProfile>k__
- 0x120e8:$v1_3: <SystemHardwares>k__
- 0x123ed:$v1_4: <geoplugin_request>k__
- 0x12360:$v1_5: <ScannedWallets>k__
- 0x12086:$v1_6: <DicrFiles>k__
- 0x120c4:$v1_7: <MessageClientFiles>k__
- 0x11a22:$v1_8: <ScanVPN>k__BackingField
- 0x11dd0:$v1_8: <ScanScreen>k__BackingField
- 0x12322:$v1_8: <ScanBrowsers>k__BackingField
- 0x12380:$v1_8: <ScanWallets>k__BackingField
|
1.3.setup_installer.exe.30bf192.11.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
1.3.setup_installer.exe.30bf192.11.raw.unpack | MALWARE_Win_DLInjector04 | Detects downloader / injector | ditekSHen | - 0xbc2:$s1: Runner
- 0xc54:$s2: DownloadPayload
- 0xc64:$s3: RunOnStartup
- 0xbd6:$a1: Antis
- 0xc03:$a2: antiVM
- 0xc0a:$a3: antiSandbox
- 0xc16:$a4: antiDebug
- 0xc20:$a5: antiEmulator
- 0xc2d:$a6: enablePersistence
- 0xc3f:$a7: enableFakeError
- 0xc7f:$a8: DetectVirtualMachine
- 0xca4:$a9: DetectSandboxie
- 0xccf:$a10: DetectDebugger
- 0xcde:$a11: CheckEmulator
|
2.2.setup_install.exe.6b280000.2.unpack | MALWARE_Win_DLInjector03 | Detects unknown loader / injector | ditekSHen | - 0xcaf9:$x1: LOADER ERROR
- 0x5f53:$s1: _ZN6curlpp10OptionBaseC2E10CURLoption
- 0xcb06:$s2: The procedure entry point %s could not be located in the dynamic link library %s
|
1.3.setup_installer.exe.2f30000.8.raw.unpack | MALWARE_Win_DLInjector03 | Detects unknown loader / injector | ditekSHen | - 0x356c5:$x1: LOADER ERROR
- 0x43401:$x1: LOADER ERROR
- 0xff12b:$x1: LOADER ERROR
- 0x3c68f:$s1: _ZN6curlpp10OptionBaseC2E10CURLoption
- 0x356d2:$s2: The procedure entry point %s could not be located in the dynamic link library %s
- 0x4340e:$s2: The procedure entry point %s could not be located in the dynamic link library %s
- 0xff138:$s2: The procedure entry point %s could not be located in the dynamic link library %s
|
29.2.Mon179e1058f256.exe.17f0e50.1.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x700:$s3: 83 EC 38 53 B0 C0 88 44 24 2B 88 44 24 2F B0 C3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1e9d0:$s5: delete[]
- 0x1de88:$s6: constructor or from DllMain.
|
29.3.Mon179e1058f256.exe.3140000.0.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x700:$s3: 83 EC 38 53 B0 C0 88 44 24 2B 88 44 24 2F B0 C3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1e9d0:$s5: delete[]
- 0x1de88:$s6: constructor or from DllMain.
|
1.3.setup_installer.exe.2f66740.2.raw.unpack | MALWARE_Win_DLInjector03 | Detects unknown loader / injector | ditekSHen | - 0xccc1:$x1: LOADER ERROR
- 0xc89eb:$x1: LOADER ERROR
- 0x5f4f:$s1: _ZN6curlpp10OptionBaseC2E10CURLoption
- 0xccce:$s2: The procedure entry point %s could not be located in the dynamic link library %s
- 0xc89f8:$s2: The procedure entry point %s could not be located in the dynamic link library %s
|
26.2.Mon1785436ae78.exe.400000.0.raw.unpack | JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | |
26.2.Mon1785436ae78.exe.400000.0.raw.unpack | JoeSecurity_onlyLogger | Yara detected onlyLogger | Joe Security | |
26.2.Mon1785436ae78.exe.400000.0.raw.unpack | MALWARE_Win_OnlyLogger | Detects OnlyLogger loader variants | ditekSHen | - 0x3f884:$s1: 45 6C 65 76 61 74 65 64 00 00 00 00 4E 4F 54 20 65 6C 65 76 61 74 65 64
- 0x3fe9c:$s2: " /f & erase "
- 0x3feac:$s3: /c taskkill /im "
- 0x3fc8c:$s4: KILLME
- 0x3fec0:$s5: C:\Windows\System32\cmd.exe
- 0x3f97d:$gn: .php?pub=
- 0x3f99f:$gn: .php?pub=
- 0x3fc66:$gn: .php?pub=
- 0x3fc76:$gn: .php?pub=
- 0x3fccc:$gn: .php?pub=
- 0x3f9ac:$ip: /1SbGr7
- 0x3f9b4:$ip: /1S3Jr7
- 0x3f9bc:$ip: /1SVGr7
- 0x3f9c4:$ip: /1SDGr7
- 0x3f9cc:$ip: /1SXGr7
- 0x3f9d4:$ip: /1RGrt7
- 0x3f9dc:$ip: /1B6de7
- 0x3f9ec:$ip: /1B8de7
- 0x3f9f8:$ip: /1B9de7
- 0x3fa04:$ip: /1exB47
- 0x3fa14:$ip: /1ecB47
|
29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x15a51:$a4: get_ScannedWallets
- 0x15539:$a5: get_ScanTelegram
- 0x1560d:$a6: get_ScanGeckoBrowsersPaths
- 0x15760:$a7: <Processes>k__BackingField
- 0x1498f:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x1535a:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x15300:$u7: RunPE
- 0x15306:$u8: DownloadAndEx
- 0x1ce42:$pat14: , CommandLine:
- 0x148a3:$v2_1: ListOfProcesses
- 0x154a5:$v2_2: get_ScanBrowsers
- 0x154e3:$v2_2: get_ScanFTP
- 0x154fb:$v2_2: get_ScanWallets
- 0x1551b:$v2_2: get_ScanScreen
- 0x15539:$v2_2: get_ScanTelegram
- 0x1555b:$v2_2: get_ScanVPN
- 0x15573:$v2_2: get_ScanSteam
- 0x1558f:$v2_2: get_ScanDiscord
- 0x155d5:$v2_2: get_ScanChromeBrowsersPaths
- 0x1560d:$v2_2: get_ScanGeckoBrowsersPaths
- 0x15a51:$v2_2: get_ScannedWallets
- 0x14be4:$v2_3: GetArguments
- 0x14dc9:$v2_4: VerifyUpdate
- 0x14bf1:$v2_5: VerifyScanRequest
- 0x14dbe:$v2_6: GetUpdates
- 0x1ac30:$v2_6: GetUpdates
- 0x12cb1:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.352c7de.3.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x14e49:$v1_2: <BrowserProfile>k__
- 0x1577b:$v1_3: <SystemHardwares>k__
- 0x16326:$v1_4: <geoplugin_request>k__
- 0x1583a:$v1_5: <ScannedWallets>k__
- 0x158ca:$v1_6: <DicrFiles>k__
- 0x158a6:$v1_7: <MessageClientFiles>k__
- 0x15321:$v1_8: <ScanBrowsers>k__BackingField
- 0x15373:$v1_8: <ScanWallets>k__BackingField
- 0x15390:$v1_8: <ScanScreen>k__BackingField
- 0x153ca:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x14b69:$a4: get_ScannedWallets
- 0x31ea1:$a4: get_ScannedWallets
- 0x14651:$a5: get_ScanTelegram
- 0x31989:$a5: get_ScanTelegram
- 0x14725:$a6: get_ScanGeckoBrowsersPaths
- 0x31a5d:$a6: get_ScanGeckoBrowsersPaths
- 0x14878:$a7: <Processes>k__BackingField
- 0x31bb0:$a7: <Processes>k__BackingField
- 0x13aa7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x30ddf:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x14472:$a9: <ScanFTP>k__BackingField
- 0x317aa:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x14418:$u7: RunPE
- 0x31750:$u7: RunPE
- 0x1441e:$u8: DownloadAndEx
- 0x31756:$u8: DownloadAndEx
- 0x1bf5a:$pat14: , CommandLine:
- 0x39292:$pat14: , CommandLine:
- 0x139bb:$v2_1: ListOfProcesses
- 0x30cf3:$v2_1: ListOfProcesses
- 0x145bd:$v2_2: get_ScanBrowsers
- 0x145fb:$v2_2: get_ScanFTP
- 0x14613:$v2_2: get_ScanWallets
- 0x14633:$v2_2: get_ScanScreen
- 0x14651:$v2_2: get_ScanTelegram
- 0x14673:$v2_2: get_ScanVPN
- 0x1468b:$v2_2: get_ScanSteam
- 0x146a7:$v2_2: get_ScanDiscord
- 0x146ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x14725:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14b69:$v2_2: get_ScannedWallets
- 0x318f5:$v2_2: get_ScanBrowsers
- 0x31933:$v2_2: get_ScanFTP
|
29.2.Mon179e1058f256.exe.47d6458.5.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13f61:$v1_2: <BrowserProfile>k__
- 0x31299:$v1_2: <BrowserProfile>k__
- 0x14893:$v1_3: <SystemHardwares>k__
- 0x31bcb:$v1_3: <SystemHardwares>k__
- 0x1543e:$v1_4: <geoplugin_request>k__
- 0x32776:$v1_4: <geoplugin_request>k__
- 0x14952:$v1_5: <ScannedWallets>k__
- 0x31c8a:$v1_5: <ScannedWallets>k__
- 0x149e2:$v1_6: <DicrFiles>k__
- 0x31d1a:$v1_6: <DicrFiles>k__
- 0x149be:$v1_7: <MessageClientFiles>k__
- 0x31cf6:$v1_7: <MessageClientFiles>k__
- 0x14439:$v1_8: <ScanBrowsers>k__BackingField
- 0x1448b:$v1_8: <ScanWallets>k__BackingField
- 0x144a8:$v1_8: <ScanScreen>k__BackingField
- 0x144e2:$v1_8: <ScanVPN>k__BackingField
- 0x31771:$v1_8: <ScanBrowsers>k__BackingField
- 0x317c3:$v1_8: <ScanWallets>k__BackingField
- 0x317e0:$v1_8: <ScanScreen>k__BackingField
- 0x3181a:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.6390000.9.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.6390000.9.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.6390000.9.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x12d69:$a4: get_ScannedWallets
- 0x12851:$a5: get_ScanTelegram
- 0x12925:$a6: get_ScanGeckoBrowsersPaths
- 0x12a78:$a7: <Processes>k__BackingField
- 0x11ca7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x12672:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.6390000.9.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x12618:$u7: RunPE
- 0x1261e:$u8: DownloadAndEx
- 0x1a15a:$pat14: , CommandLine:
- 0x11bbb:$v2_1: ListOfProcesses
- 0x127bd:$v2_2: get_ScanBrowsers
- 0x127fb:$v2_2: get_ScanFTP
- 0x12813:$v2_2: get_ScanWallets
- 0x12833:$v2_2: get_ScanScreen
- 0x12851:$v2_2: get_ScanTelegram
- 0x12873:$v2_2: get_ScanVPN
- 0x1288b:$v2_2: get_ScanSteam
- 0x128a7:$v2_2: get_ScanDiscord
- 0x128ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x12925:$v2_2: get_ScanGeckoBrowsersPaths
- 0x12d69:$v2_2: get_ScannedWallets
- 0x11efc:$v2_3: GetArguments
- 0x120e1:$v2_4: VerifyUpdate
- 0x11f09:$v2_5: VerifyScanRequest
- 0x120d6:$v2_6: GetUpdates
- 0x17f48:$v2_6: GetUpdates
- 0xffc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.6390000.9.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x12161:$v1_2: <BrowserProfile>k__
- 0x12a93:$v1_3: <SystemHardwares>k__
- 0x1363e:$v1_4: <geoplugin_request>k__
- 0x12b52:$v1_5: <ScannedWallets>k__
- 0x12be2:$v1_6: <DicrFiles>k__
- 0x12bbe:$v1_7: <MessageClientFiles>k__
- 0x12639:$v1_8: <ScanBrowsers>k__BackingField
- 0x1268b:$v1_8: <ScanWallets>k__BackingField
- 0x126a8:$v1_8: <ScanScreen>k__BackingField
- 0x126e2:$v1_8: <ScanVPN>k__BackingField
|
32.2.Mon17948100733a95c58.exe.400000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
32.2.Mon17948100733a95c58.exe.400000.0.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
32.2.Mon17948100733a95c58.exe.400000.0.unpack | Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown | - 0x15452:$a1: get_encrypted_key
- 0x147c4:$a2: get_PassedPaths
- 0x12af6:$a3: ChromeGetLocalName
- 0x14c6a:$a4: GetBrowsers
- 0x1a004:$a5: Software\Valve\SteamLogin Data
- 0x1980c:$a6: %appdata%\
- 0x14275:$a7: ScanPasswords
|
32.2.Mon17948100733a95c58.exe.400000.0.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x15336:$u8: DownloadAndEx
- 0x1ae2c:$pat14: , CommandLine:
- 0x14634:$v2_1: ListOfProcesses
- 0x12559:$v2_2: get_ScanDiscord
- 0x13760:$v2_2: get_ScanSteam
- 0x1377c:$v2_2: get_ScanTelegram
- 0x13839:$v2_2: get_ScanScreen
- 0x14821:$v2_2: get_ScanChromeBrowsersPaths
- 0x14859:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14c36:$v2_2: get_ScanBrowsers
- 0x14d2f:$v2_2: get_ScannedWallets
- 0x14d88:$v2_2: get_ScanWallets
- 0x14da8:$v2_3: GetArguments
- 0x12e8b:$v2_4: VerifyUpdate
- 0x1517b:$v2_5: VerifyScanRequest
- 0x146af:$v2_6: GetUpdates
- 0x18953:$v2_6: GetUpdates
- 0x141f0:$v4_3: base64str
- 0x153ff:$v4_4: stringKey
- 0x12a5e:$v4_8: procName
- 0x12e67:$v5_1: DownloadAndExecuteUpdate
|
1.3.setup_installer.exe.2f8e26e.10.unpack | MALWARE_Win_DLInjector04 | Detects downloader / injector | ditekSHen | - 0x560e6:$s1: Runner
- 0x56178:$s2: DownloadPayload
- 0x56188:$s3: RunOnStartup
- 0x560fa:$a1: Antis
- 0x56127:$a2: antiVM
- 0x5612e:$a3: antiSandbox
- 0x5613a:$a4: antiDebug
- 0x56144:$a5: antiEmulator
- 0x56151:$a6: enablePersistence
- 0x56163:$a7: enableFakeError
- 0x561a3:$a8: DetectVirtualMachine
- 0x561c8:$a9: DetectSandboxie
- 0x561f3:$a10: DetectDebugger
- 0x56202:$a11: CheckEmulator
|
31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x1a000:$a3: Software\Valve\SteamLogin Data
- 0x14d2f:$a4: get_ScannedWallets
- 0x1377c:$a5: get_ScanTelegram
- 0x14861:$a6: get_ScanGeckoBrowsersPaths
- 0x1213d:$a7: <Processes>k__BackingField
- 0x10097:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x11a4f:$a9: <ScanFTP>k__BackingField
|
31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack | Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown | - 0x15452:$a1: get_encrypted_key
- 0x147cc:$a2: get_PassedPaths
- 0x12af6:$a3: ChromeGetLocalName
- 0x14c6a:$a4: GetBrowsers
- 0x1a000:$a5: Software\Valve\SteamLogin Data
- 0x19808:$a6: %appdata%\
- 0x1427d:$a7: ScanPasswords
|
31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1150d:$u7: RunPE
- 0x15336:$u8: DownloadAndEx
- 0x1ae28:$pat14: , CommandLine:
- 0x1463c:$v2_1: ListOfProcesses
- 0x1172e:$v2_2: get_ScanVPN
- 0x117ee:$v2_2: get_ScanFTP
- 0x12559:$v2_2: get_ScanDiscord
- 0x13760:$v2_2: get_ScanSteam
- 0x1377c:$v2_2: get_ScanTelegram
- 0x13839:$v2_2: get_ScanScreen
- 0x14829:$v2_2: get_ScanChromeBrowsersPaths
- 0x14861:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14c36:$v2_2: get_ScanBrowsers
- 0x14d2f:$v2_2: get_ScannedWallets
- 0x14d88:$v2_2: get_ScanWallets
- 0x14da8:$v2_3: GetArguments
- 0x12e8b:$v2_4: VerifyUpdate
- 0x1517b:$v2_5: VerifyScanRequest
- 0x146b7:$v2_6: GetUpdates
- 0x1894f:$v2_6: GetUpdates
- 0x141f8:$v4_3: base64str
|
31.2.Mon17eac6d534bfd22c7.exe.400000.0.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x11be3:$v1_2: <BrowserProfile>k__
- 0x120e8:$v1_3: <SystemHardwares>k__
- 0x123ed:$v1_4: <geoplugin_request>k__
- 0x12360:$v1_5: <ScannedWallets>k__
- 0x12086:$v1_6: <DicrFiles>k__
- 0x120c4:$v1_7: <MessageClientFiles>k__
- 0x11a22:$v1_8: <ScanVPN>k__BackingField
- 0x11dd0:$v1_8: <ScanScreen>k__BackingField
- 0x12322:$v1_8: <ScanBrowsers>k__BackingField
- 0x12380:$v1_8: <ScanWallets>k__BackingField
|
26.2.Mon1785436ae78.exe.17e0e50.1.unpack | JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | |
26.2.Mon1785436ae78.exe.17e0e50.1.unpack | JoeSecurity_onlyLogger | Yara detected onlyLogger | Joe Security | |
26.2.Mon1785436ae78.exe.17e0e50.1.unpack | MALWARE_Win_OnlyLogger | Detects OnlyLogger loader variants | ditekSHen | - 0x3d084:$s1: 45 6C 65 76 61 74 65 64 00 00 00 00 4E 4F 54 20 65 6C 65 76 61 74 65 64
- 0x3d69c:$s2: " /f & erase "
- 0x3d6ac:$s3: /c taskkill /im "
- 0x3d48c:$s4: KILLME
- 0x3d6c0:$s5: C:\Windows\System32\cmd.exe
- 0x3d17d:$gn: .php?pub=
- 0x3d19f:$gn: .php?pub=
- 0x3d466:$gn: .php?pub=
- 0x3d476:$gn: .php?pub=
- 0x3d4cc:$gn: .php?pub=
- 0x3d1ac:$ip: /1SbGr7
- 0x3d1b4:$ip: /1S3Jr7
- 0x3d1bc:$ip: /1SVGr7
- 0x3d1c4:$ip: /1SDGr7
- 0x3d1cc:$ip: /1SXGr7
- 0x3d1d4:$ip: /1RGrt7
- 0x3d1dc:$ip: /1B6de7
- 0x3d1ec:$ip: /1B8de7
- 0x3d1f8:$ip: /1B9de7
- 0x3d204:$ip: /1exB47
- 0x3d214:$ip: /1ecB47
|
29.2.Mon179e1058f256.exe.5c50ee8.7.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50ee8.7.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50ee8.7.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x12d69:$a4: get_ScannedWallets
- 0x12851:$a5: get_ScanTelegram
- 0x12925:$a6: get_ScanGeckoBrowsersPaths
- 0x12a78:$a7: <Processes>k__BackingField
- 0x11ca7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x12672:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.5c50ee8.7.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x12618:$u7: RunPE
- 0x1261e:$u8: DownloadAndEx
- 0x1a15a:$pat14: , CommandLine:
- 0x11bbb:$v2_1: ListOfProcesses
- 0x127bd:$v2_2: get_ScanBrowsers
- 0x127fb:$v2_2: get_ScanFTP
- 0x12813:$v2_2: get_ScanWallets
- 0x12833:$v2_2: get_ScanScreen
- 0x12851:$v2_2: get_ScanTelegram
- 0x12873:$v2_2: get_ScanVPN
- 0x1288b:$v2_2: get_ScanSteam
- 0x128a7:$v2_2: get_ScanDiscord
- 0x128ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x12925:$v2_2: get_ScanGeckoBrowsersPaths
- 0x12d69:$v2_2: get_ScannedWallets
- 0x11efc:$v2_3: GetArguments
- 0x120e1:$v2_4: VerifyUpdate
- 0x11f09:$v2_5: VerifyScanRequest
- 0x120d6:$v2_6: GetUpdates
- 0x17f48:$v2_6: GetUpdates
- 0xffc9:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.5c50ee8.7.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x12161:$v1_2: <BrowserProfile>k__
- 0x12a93:$v1_3: <SystemHardwares>k__
- 0x1363e:$v1_4: <geoplugin_request>k__
- 0x12b52:$v1_5: <ScannedWallets>k__
- 0x12be2:$v1_6: <DicrFiles>k__
- 0x12bbe:$v1_7: <MessageClientFiles>k__
- 0x12639:$v1_8: <ScanBrowsers>k__BackingField
- 0x1268b:$v1_8: <ScanWallets>k__BackingField
- 0x126a8:$v1_8: <ScanScreen>k__BackingField
- 0x126e2:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x15a51:$a4: get_ScannedWallets
- 0x15539:$a5: get_ScanTelegram
- 0x1560d:$a6: get_ScanGeckoBrowsersPaths
- 0x15760:$a7: <Processes>k__BackingField
- 0x1498f:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x1535a:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x15300:$u7: RunPE
- 0x15306:$u8: DownloadAndEx
- 0x1ce42:$pat14: , CommandLine:
- 0x148a3:$v2_1: ListOfProcesses
- 0x154a5:$v2_2: get_ScanBrowsers
- 0x154e3:$v2_2: get_ScanFTP
- 0x154fb:$v2_2: get_ScanWallets
- 0x1551b:$v2_2: get_ScanScreen
- 0x15539:$v2_2: get_ScanTelegram
- 0x1555b:$v2_2: get_ScanVPN
- 0x15573:$v2_2: get_ScanSteam
- 0x1558f:$v2_2: get_ScanDiscord
- 0x155d5:$v2_2: get_ScanChromeBrowsersPaths
- 0x1560d:$v2_2: get_ScanGeckoBrowsersPaths
- 0x15a51:$v2_2: get_ScannedWallets
- 0x14be4:$v2_3: GetArguments
- 0x14dc9:$v2_4: VerifyUpdate
- 0x14bf1:$v2_5: VerifyScanRequest
- 0x14dbe:$v2_6: GetUpdates
- 0x1ac30:$v2_6: GetUpdates
- 0x12cb1:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.5c50000.8.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x14e49:$v1_2: <BrowserProfile>k__
- 0x1577b:$v1_3: <SystemHardwares>k__
- 0x16326:$v1_4: <geoplugin_request>k__
- 0x1583a:$v1_5: <ScannedWallets>k__
- 0x158ca:$v1_6: <DicrFiles>k__
- 0x158a6:$v1_7: <MessageClientFiles>k__
- 0x15321:$v1_8: <ScanBrowsers>k__BackingField
- 0x15373:$v1_8: <ScanWallets>k__BackingField
- 0x15390:$v1_8: <ScanScreen>k__BackingField
- 0x153ca:$v1_8: <ScanVPN>k__BackingField
|
25.2.Mon17948100733a95c58.exe.39d5068.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
25.2.Mon17948100733a95c58.exe.39d5068.0.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
25.2.Mon17948100733a95c58.exe.39d5068.0.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x18404:$a3: Software\Valve\SteamLogin Data
- 0x1312f:$a4: get_ScannedWallets
- 0x11b7c:$a5: get_ScanTelegram
- 0x12c59:$a6: get_ScanGeckoBrowsersPaths
- 0x1053d:$a7: <Processes>k__BackingField
- 0xe497:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0xfe4f:$a9: <ScanFTP>k__BackingField
|
25.2.Mon17948100733a95c58.exe.39d5068.0.unpack | Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown | - 0x13852:$a1: get_encrypted_key
- 0x12bc4:$a2: get_PassedPaths
- 0x10ef6:$a3: ChromeGetLocalName
- 0x1306a:$a4: GetBrowsers
- 0x18404:$a5: Software\Valve\SteamLogin Data
- 0x17c0c:$a6: %appdata%\
- 0x12675:$a7: ScanPasswords
|
25.2.Mon17948100733a95c58.exe.39d5068.0.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0xf90d:$u7: RunPE
- 0x13736:$u8: DownloadAndEx
- 0x1922c:$pat14: , CommandLine:
- 0x12a34:$v2_1: ListOfProcesses
- 0xfb2e:$v2_2: get_ScanVPN
- 0xfbee:$v2_2: get_ScanFTP
- 0x10959:$v2_2: get_ScanDiscord
- 0x11b60:$v2_2: get_ScanSteam
- 0x11b7c:$v2_2: get_ScanTelegram
- 0x11c39:$v2_2: get_ScanScreen
- 0x12c21:$v2_2: get_ScanChromeBrowsersPaths
- 0x12c59:$v2_2: get_ScanGeckoBrowsersPaths
- 0x13036:$v2_2: get_ScanBrowsers
- 0x1312f:$v2_2: get_ScannedWallets
- 0x13188:$v2_2: get_ScanWallets
- 0x131a8:$v2_3: GetArguments
- 0x1128b:$v2_4: VerifyUpdate
- 0x1357b:$v2_5: VerifyScanRequest
- 0x12aaf:$v2_6: GetUpdates
- 0x16d53:$v2_6: GetUpdates
- 0x125f0:$v4_3: base64str
|
25.2.Mon17948100733a95c58.exe.39d5068.0.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0xffe3:$v1_2: <BrowserProfile>k__
- 0x104e8:$v1_3: <SystemHardwares>k__
- 0x107ed:$v1_4: <geoplugin_request>k__
- 0x10760:$v1_5: <ScannedWallets>k__
- 0x10486:$v1_6: <DicrFiles>k__
- 0x104c4:$v1_7: <MessageClientFiles>k__
- 0xfe22:$v1_8: <ScanVPN>k__BackingField
- 0x101d0:$v1_8: <ScanScreen>k__BackingField
- 0x10722:$v1_8: <ScanBrowsers>k__BackingField
- 0x10780:$v1_8: <ScanWallets>k__BackingField
|
26.2.Mon1785436ae78.exe.400000.0.unpack | JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | |
26.2.Mon1785436ae78.exe.400000.0.unpack | JoeSecurity_onlyLogger | Yara detected onlyLogger | Joe Security | |
26.2.Mon1785436ae78.exe.400000.0.unpack | MALWARE_Win_OnlyLogger | Detects OnlyLogger loader variants | ditekSHen | - 0x3e484:$s1: 45 6C 65 76 61 74 65 64 00 00 00 00 4E 4F 54 20 65 6C 65 76 61 74 65 64
- 0x3ea9c:$s2: " /f & erase "
- 0x3eaac:$s3: /c taskkill /im "
- 0x3e88c:$s4: KILLME
- 0x3eac0:$s5: C:\Windows\System32\cmd.exe
- 0x3e57d:$gn: .php?pub=
- 0x3e59f:$gn: .php?pub=
- 0x3e866:$gn: .php?pub=
- 0x3e876:$gn: .php?pub=
- 0x3e8cc:$gn: .php?pub=
- 0x3e5ac:$ip: /1SbGr7
- 0x3e5b4:$ip: /1S3Jr7
- 0x3e5bc:$ip: /1SVGr7
- 0x3e5c4:$ip: /1SDGr7
- 0x3e5cc:$ip: /1SXGr7
- 0x3e5d4:$ip: /1RGrt7
- 0x3e5dc:$ip: /1B6de7
- 0x3e5ec:$ip: /1B8de7
- 0x3e5f8:$ip: /1B9de7
- 0x3e604:$ip: /1exB47
- 0x3e614:$ip: /1ecB47
|
29.2.Mon179e1058f256.exe.47d5570.4.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d5570.4.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d5570.4.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x13c51:$a4: get_ScannedWallets
- 0x13739:$a5: get_ScanTelegram
- 0x1380d:$a6: get_ScanGeckoBrowsersPaths
- 0x13960:$a7: <Processes>k__BackingField
- 0x12b8f:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x1355a:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.47d5570.4.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x13500:$u7: RunPE
- 0x13506:$u8: DownloadAndEx
- 0x1b042:$pat14: , CommandLine:
- 0x12aa3:$v2_1: ListOfProcesses
- 0x136a5:$v2_2: get_ScanBrowsers
- 0x136e3:$v2_2: get_ScanFTP
- 0x136fb:$v2_2: get_ScanWallets
- 0x1371b:$v2_2: get_ScanScreen
- 0x13739:$v2_2: get_ScanTelegram
- 0x1375b:$v2_2: get_ScanVPN
- 0x13773:$v2_2: get_ScanSteam
- 0x1378f:$v2_2: get_ScanDiscord
- 0x137d5:$v2_2: get_ScanChromeBrowsersPaths
- 0x1380d:$v2_2: get_ScanGeckoBrowsersPaths
- 0x13c51:$v2_2: get_ScannedWallets
- 0x12de4:$v2_3: GetArguments
- 0x12fc9:$v2_4: VerifyUpdate
- 0x12df1:$v2_5: VerifyScanRequest
- 0x12fbe:$v2_6: GetUpdates
- 0x18e30:$v2_6: GetUpdates
- 0x10eb1:$v4_3: base64str
|
29.2.Mon179e1058f256.exe.47d5570.4.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13049:$v1_2: <BrowserProfile>k__
- 0x1397b:$v1_3: <SystemHardwares>k__
- 0x14526:$v1_4: <geoplugin_request>k__
- 0x13a3a:$v1_5: <ScannedWallets>k__
- 0x13aca:$v1_6: <DicrFiles>k__
- 0x13aa6:$v1_7: <MessageClientFiles>k__
- 0x13521:$v1_8: <ScanBrowsers>k__BackingField
- 0x13573:$v1_8: <ScanWallets>k__BackingField
- 0x13590:$v1_8: <ScanScreen>k__BackingField
- 0x135ca:$v1_8: <ScanVPN>k__BackingField
|
29.2.Mon179e1058f256.exe.400000.0.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x700:$s3: 83 EC 38 53 B0 C0 88 44 24 2B 88 44 24 2F B0 C3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1e9d0:$s5: delete[]
- 0x1de88:$s6: constructor or from DllMain.
|
29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x15a51:$a4: get_ScannedWallets
- 0x32d89:$a4: get_ScannedWallets
- 0x15539:$a5: get_ScanTelegram
- 0x32871:$a5: get_ScanTelegram
- 0x1560d:$a6: get_ScanGeckoBrowsersPaths
- 0x32945:$a6: get_ScanGeckoBrowsersPaths
- 0x15760:$a7: <Processes>k__BackingField
- 0x32a98:$a7: <Processes>k__BackingField
- 0x1498f:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x31cc7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x1535a:$a9: <ScanFTP>k__BackingField
- 0x32692:$a9: <ScanFTP>k__BackingField
|
29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x15300:$u7: RunPE
- 0x32638:$u7: RunPE
- 0x15306:$u8: DownloadAndEx
- 0x3263e:$u8: DownloadAndEx
- 0x1ce42:$pat14: , CommandLine:
- 0x3a17a:$pat14: , CommandLine:
- 0x148a3:$v2_1: ListOfProcesses
- 0x31bdb:$v2_1: ListOfProcesses
- 0x154a5:$v2_2: get_ScanBrowsers
- 0x154e3:$v2_2: get_ScanFTP
- 0x154fb:$v2_2: get_ScanWallets
- 0x1551b:$v2_2: get_ScanScreen
- 0x15539:$v2_2: get_ScanTelegram
- 0x1555b:$v2_2: get_ScanVPN
- 0x15573:$v2_2: get_ScanSteam
- 0x1558f:$v2_2: get_ScanDiscord
- 0x155d5:$v2_2: get_ScanChromeBrowsersPaths
- 0x1560d:$v2_2: get_ScanGeckoBrowsersPaths
- 0x15a51:$v2_2: get_ScannedWallets
- 0x327dd:$v2_2: get_ScanBrowsers
- 0x3281b:$v2_2: get_ScanFTP
|
29.2.Mon179e1058f256.exe.47d5570.4.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x14e49:$v1_2: <BrowserProfile>k__
- 0x32181:$v1_2: <BrowserProfile>k__
- 0x1577b:$v1_3: <SystemHardwares>k__
- 0x32ab3:$v1_3: <SystemHardwares>k__
- 0x16326:$v1_4: <geoplugin_request>k__
- 0x3365e:$v1_4: <geoplugin_request>k__
- 0x1583a:$v1_5: <ScannedWallets>k__
- 0x32b72:$v1_5: <ScannedWallets>k__
- 0x158ca:$v1_6: <DicrFiles>k__
- 0x32c02:$v1_6: <DicrFiles>k__
- 0x158a6:$v1_7: <MessageClientFiles>k__
- 0x32bde:$v1_7: <MessageClientFiles>k__
- 0x15321:$v1_8: <ScanBrowsers>k__BackingField
- 0x15373:$v1_8: <ScanWallets>k__BackingField
- 0x15390:$v1_8: <ScanScreen>k__BackingField
- 0x153ca:$v1_8: <ScanVPN>k__BackingField
- 0x32659:$v1_8: <ScanBrowsers>k__BackingField
- 0x326ab:$v1_8: <ScanWallets>k__BackingField
- 0x326c8:$v1_8: <ScanScreen>k__BackingField
- 0x32702:$v1_8: <ScanVPN>k__BackingField
|
29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack | Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown | - 0x14b69:$a4: get_ScannedWallets
- 0x14651:$a5: get_ScanTelegram
- 0x14725:$a6: get_ScanGeckoBrowsersPaths
- 0x14878:$a7: <Processes>k__BackingField
- 0x13aa7:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
- 0x14472:$a9: <ScanFTP>k__BackingField
|
29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x14418:$u7: RunPE
- 0x1441e:$u8: DownloadAndEx
- 0x1bf5a:$pat14: , CommandLine:
- 0x139bb:$v2_1: ListOfProcesses
- 0x145bd:$v2_2: get_ScanBrowsers
- 0x145fb:$v2_2: get_ScanFTP
- 0x14613:$v2_2: get_ScanWallets
- 0x14633:$v2_2: get_ScanScreen
- 0x14651:$v2_2: get_ScanTelegram
- 0x14673:$v2_2: get_ScanVPN
- 0x1468b:$v2_2: get_ScanSteam
- 0x146a7:$v2_2: get_ScanDiscord
- 0x146ed:$v2_2: get_ScanChromeBrowsersPaths
- 0x14725:$v2_2: get_ScanGeckoBrowsersPaths
- 0x14b69:$v2_2: get_ScannedWallets
- 0x13cfc:$v2_3: GetArguments
- 0x13ee1:$v2_4: VerifyUpdate
- 0x13d09:$v2_5: VerifyScanRequest
- 0x13ed6:$v2_6: GetUpdates
- 0x19d48:$v2_6: GetUpdates
- 0x11dc9:$v4_3: base64str
|
29.3.Mon179e1058f256.exe.18a9250.1.raw.unpack | MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen | - 0x13f61:$v1_2: <BrowserProfile>k__
- 0x14893:$v1_3: <SystemHardwares>k__
- 0x1543e:$v1_4: <geoplugin_request>k__
- 0x14952:$v1_5: <ScannedWallets>k__
- 0x149e2:$v1_6: <DicrFiles>k__
- 0x149be:$v1_7: <MessageClientFiles>k__
- 0x14439:$v1_8: <ScanBrowsers>k__BackingField
- 0x1448b:$v1_8: <ScanWallets>k__BackingField
- 0x144a8:$v1_8: <ScanScreen>k__BackingField
- 0x144e2:$v1_8: <ScanVPN>k__BackingField
|
19.0.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack | JoeSecurity_Generic_malware | Yara Generic_malware | Joe Security | |
19.2.Mon17c604381c7047e.exe.7ff72f5c0000.0.unpack | JoeSecurity_Generic_malware | Yara Generic_malware | Joe Security | |
1.3.setup_installer.exe.320451a.6.raw.unpack | JoeSecurity_Generic_malware | Yara Generic_malware | Joe Security | |
1.3.setup_installer.exe.320451a.6.unpack | JoeSecurity_Generic_malware | Yara Generic_malware | Joe Security | |
1.3.setup_installer.exe.31d6d4a.4.raw.unpack | JoeSecurity_Generic_malware | Yara Generic_malware | Joe Security | |
Click to see the 158 entries |