Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected ReverseShell
Yara detected Vidar stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Powershell drops PE file
Searches for specific processes (likely to inject)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match