ades_stealer | 113b0924918108cb91c24df1430e507ca69b8ea67be90f8d2dc6f12fa9122181

Sharing

Copy URL Twitter E-mail

General

Target

250519-cagepsgm3t.bin
Size

59.5MB
Sample

250519-ctmqtsgp3w
MD5

db2a64ed6dac0099bc7ffb6de294cbb0
SHA1

8f9d116a00838d07aeefefbb4e9b12b3752f170b
SHA256

113b0924918108cb91c24df1430e507ca69b8ea67be90f8d2dc6f12fa9122181
SHA512

5a00102418f2d8f30d0c75a1b39c509aa2db51e6b4eb29330aec873abe347cf25b0c1e6ac48b7dfaf98ea20f4c8816d91c65076b61b35fa7e8ac2470b3520355
SSDEEP

1572864:bnMyy0iqwhWP4Vwg/MepmMJyQGvZnHlONwMtGh2N3x:bMciqwhWgVwg/Md4yQGvZnHlO1V3x

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

redline

Botnet

cheat

154.91.34.165:64951

Extracted

Family

discordrat

Attributes

discord_token
MTM0OTU1Nzg2MTk3NzY4NjExOA.GZnBJ8.ModoCKrx8GueOq0zGHlbO14l4wHwAZe9839-DA
server_id
1350894549899411528

Extracted

Path

C:\fa79de221d524b769d0447\Data breach warning.txt

Ransom Note

# RA World ---- ## Notification Your data are stolen and encrypted when you read this letter. We have copied all data to our server. Don't worry, your data will not be made public if you do what I want. But if you don't pay, we will release the data, contact your customers and regulators and destroy your system again. We can decrypt some files to prove that the decrypt tool works correctly. ## What we want? Contact us, pay for ransom. If you pay, we will provide you the programs for decryption and we will delete your data where on our servers. If not, we will leak your datas and your company will appear in the shame list below. If not, we will email to your customers and report to supervisory authority. ## How contact us? We use qTox to contact, you can download qTox from office website: https://qtox.github.io Our qTox ID is: 358AC0F6C813DD4FD243524F040E2F77969278274BD8A8945B5041A249786E32CC784580F2EC We have no other contacts. If there is no contact within 3 days, you will appear on our website and we will make sample files public. If there is no contact within 7 days, we will stop communicating and release data in batches. The longer time, the higher ransom. ## RA World Office Site: [Permanent address] http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion [Temporary address] http://161.35.200.18 ## Sample files release link: Sample files: https://gofile.io/d/ufuFye ## Unpay Victim Lists *** You'll be here too if you don't pay! *** *** More and more people will get your files! *** [NIDEC GPM GmbH] [Die Unfallkasse Th�ringen] [HALLIDAYS GROUP LIMITED] [Rockford Gastroenterology Associates] [Di Martino Group] [Alablaboratoria] [Comer] [Informist Media] [SUMMIT VETERINARY PHARMACEUTICALS LIMITED] [Chung Hwa Chemical Industrial Works] [Aceromex] [247ExpressLogistics] [Yuxin Automobile Co.Ltd] [Piex Group] [Zurvita] [BiscoIndustries] [Decimal Point Analytics Pvt] [DeepNoid] [Eastern Media International Corporation] [EyeGene] [Insurance Providers Group] [Thaire] [Wealth Enhancement Group] You can use Tor Browser to open .onion url. Ger more information from Tor office website: https://www.torproject.org

URLs

https://qtox.github.io

http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion

http://161.35.200.18

https://gofile.io/d/ufuFye

Extracted

Path

C:\fnsYm5R5i.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 2936B8B4C916B76C602C0757AF7EBF04 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Extracted

Path

C:\ahIFlNJOT.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> you can contact us in mail or tox. Tox ID LockBitSupp: 599A61A3310B75EC1713521B487B9FD9D2D02CCF37830FF941DD3AD35F12E86960AC75B9F171 mail Support: [email protected] >>>> Your personal DECRYPTION ID: EB62581AF710E223F303C41AC38969B7 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 599A61A3310B75EC1713521B487B9FD9D2D02CCF37830FF941DD3AD35F12E86960AC75B9F171 mail Support: [email protected]

Emails

[email protected]

URLs

https://twitter.com/hashtag/lockbit?f=live

https://tox.chat/download.html

Extracted

Path

C:\d_cachefFkiLT6vY667h6bO\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: 92754795DC1DE6F492754795DC1DE6F4 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 16/04/2025 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Extracted

Family

vipkeylogger

Extracted

Family

masslogger

Attributes

exfiltration_mode
#SMTPEnabled
expire_time_date
2025-06-14
host_password
DhakaHome2024
host_port
587
host_receiver
[email protected]
host_sender
[email protected]
host_server
mail.dhakahome.com
ssl_slate
True

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

vidar

Version

13.6

Botnet

158fdd2a4f5abb978509580715e5353f

https://t.me/m00f3r

https://steamcommunity.com/profiles/76561199851454339

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

gh0strat

192.168.1.221

Extracted

Family

cobaltstrike

Botnet

987654321

http://103.171.35.26:9443/dot.gif

Attributes

access_type
512
beacon_type
2048
host
103.171.35.26,/dot.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
9443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYwABfVZCivHbnjZUO+BO81zPgD/iC2oPyKTKg/ktH1Zbz3KyDsPWnMof9juyAfTGI73mxgqkNUk3MwtLRfIqw+cleDaWzp4gE2tnKy9qy4dqKpTA6yNxxtvSYH3EW3YQb7BsYeNZclmAmezp4zgRUwqydV21a6CYhEsjH2IeQ7wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)
watermark
987654321

Extracted

Family

gcleaner

gc-prtnrs.top

gcc-prtnrs.top

194.145.227.161

Extracted

Family

xworm

Version

5.0

paltalkroom.ddns.net:65236

Mutex

Y1mBse1uakfJ6zP1

Attributes

Install_directory
%Temp%
install_file
test.exe

aes.plain

Extracted

Family

privateloader

http://45.133.1.182/proxies.txt

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

redline

Botnet

jamesbig

65.108.20.195:6774

Extracted

Family

vidar

Version

Botnet

706

https://mas.to/@killern0

Attributes

profile_id
706

Targets

- Target
  
  DIANTRE.exe
- Size
  
  181KB
- MD5
  
  4b0110af5a72e67cec6658288e1eff17
- SHA1
  
  3ccb66dc69ee49efea11ce16b7141231774f83c8
- SHA256
  
  f7c16702691c9994039953698fb3ebba129b67a19399d237187cbe2b3549e549
- SHA512
  
  9d01276fcf0ee1a04f50a789ca04e65c258b9535be91f13bcfe21211e2997dee9c9aa0b9493977e9e24ee49de236a3537eccc1feecc0c653a2909a7edbdf1fa6
- SSDEEP
  
  3072:QV6J7DKdmNZTfoviqI31TE4k1q0CkOJt2B2amYJVcnId1OPPEY4Cf/3:L7DKduDovdMTE46C5Jt2o9jO14EYZff
Score

1^/10
behavioral1
- Target
  
  Tsar2.exe
- Size
  
  27.5MB
- MD5
  
  c727fdd03392adb14724ee5cccf3f01c
- SHA1
  
  0636c0fa0e1468941667ee31b86220e9300fcb0e
- SHA256
  
  6ce1e9b6a5920124d1f561cb97a3e33f69ac8494f20a53af3e00b2616ab78baf
- SHA512
  
  a5b433df2fa86e9d4c0f3405fee6e25d4542ff60bdffa21170fb9ef51674ecda8c2d077c5187e6e0fa447ce91b9e6dcc2b35123d6844dbae2281cb4c327689e1
- SSDEEP
  
  786432:Tlb06NOJoaeIbJ7fj60BEL5ZcZqXkaZo6ss1Y:RZOKaeIbi5yZqX3Zo6g
Score

10^/10

ades_stealer chaos dcrat discordrat dragonforce floxif lockbit masslogger modiloader raworld redline rokrat sality sectoprat umbral vipkeylogger xorist xworm cheat aspackv2 backdoor credential_access defense_evasion discovery execution infostealer keylogger persistence ransomware rat rootkit spyware stealer trojan upx
- AdesStealer
  AdesStealer is a modular stealer written in C#.
  stealer ades_stealer
- Ades_stealer family
  ades_stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Rokrat payload
- Detect Umbral payload
- Detect Xworm Payload
- Detected Xorist Ransomware
- Detects AdesStealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- DragonForce
  Ransomware family based on Lockbit that was first observed in November 2023.
  ransomware dragonforce
- Dragonforce family
  dragonforce
- Floxif family
  floxif
- Floxif, Floodfix
  Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
  backdoor trojan floxif
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- Masslogger family
  masslogger
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies firewall policy service
  defense_evasion
- Modiloader family
  modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RA World
  RA World ransomware, also known as RA Group, is a crypto-ransomware variant that has evolved from the earlier Babuk ransomware. It emerged in April 2023.
  ransomware raworld
- Raworld family
  raworld
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Rokrat
  Rokrat is a remote access trojan written in c++.
  rat rokrat
- Rokrat family
  rokrat
- Rule to detect Lockbit 3.0 ransomware Windows payload
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Sality family
  sality
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- UAC bypass
  defense_evasion trojan
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Windows security bypass
  defense_evasion trojan
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- DCRat payload
  rat
- Detects Floxif payload
  backdoor
- ModiLoader Second Stage
- Renames multiple (180) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  defense_evasion trojan
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2
- Target
  
  Tsar3.exe
- Size
  
  28.0MB
- MD5
  
  9d5cc021c717c67eddfbf3e02b5e6dc5
- SHA1
  
  dd333af1d10fb0ea0542e878a0b70bdba22b469c
- SHA256
  
  1b3e438ef3a09058ddc016b8b7dda3cfde411c773a45eae629f36202b83a86f5
- SHA512
  
  9f0b92c7d3452f2de97ea3e69dc72423606132a5b5e3092f4424ecba184b003622c7ca7dc5d722e2a5157f38f66128781021eab323784544a1f846c44bd7ae2f
- SSDEEP
  
  786432:AWZL9CVOBV7QGst9Ozg90Sp0XCCLAkq9wKdMPpbs:AWZL9WOBVsGst9Ozg5ICUzVNBb
Score

10^/10

ades_stealer chaos dcrat discordrat dragonforce floxif lockbit masslogger modiloader redline rokrat sality sectoprat umbral vipkeylogger xorist cheat aspackv2 backdoor credential_access discovery execution infostealer keylogger persistence ransomware rat rootkit spyware stealer trojan upx
- AdesStealer
  AdesStealer is a modular stealer written in C#.
  stealer ades_stealer
- Ades_stealer family
  ades_stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Rokrat payload
- Detect Umbral payload
- Detected Xorist Ransomware
- Detects AdesStealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- DragonForce
  Ransomware family based on Lockbit that was first observed in November 2023.
  ransomware dragonforce
- Dragonforce family
  dragonforce
- Floxif family
  floxif
- Floxif, Floodfix
  Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
  backdoor trojan floxif
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- Masslogger family
  masslogger
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Rokrat
  Rokrat is a remote access trojan written in c++.
  rat rokrat
- Rokrat family
  rokrat
- Rule to detect Lockbit 3.0 ransomware Windows payload
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Sality family
  sality
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- DCRat payload
  rat
- Detects Floxif payload
  backdoor
- ModiLoader Second Stage
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3
- Target
  
  TsarBomba.exe
- Size
  
  25.2MB
- MD5
  
  91025d6f02e542f2e37ffce7d0ce8b51
- SHA1
  
  e2d80ef6075556cd23ce0445473c061f200b5dd4
- SHA256
  
  3755718db9d33f4aba2563de454d4530a308b41b1096c904102d08e2101f2020
- SHA512
  
  09c6d7f8b64c75e963d63ad1478a81f567182a948d652346f1c68d233efead615703aadb4ce9cd5e5fd7235089f2439e9153231ea3e1a2c677ae84aec29afc89
- SSDEEP
  
  393216:NVn+SLSF5pdHn2AXUCITkkkkkrkkkkkkkkkkkk6lX0wfGtbYTZb08MQUCITkkkkS:PduvnNG0shAQ31qnMb5OM9Tt
Score

10^/10

ades_stealer chaos cobaltstrike dcrat discordrat dragonforce gcleaner gh0strat lockbit masslogger modiloader onlylogger redline rokrat sectoprat umbral vidar vipkeylogger xorist xworm 158fdd2a4f5abb978509580715e5353f 987654321 cheat aspackv2 backdoor credential_access cryptone defense_evasion discovery execution impact infostealer keylogger loader packer persistence ransomware rat rootkit spyware stealer trojan
- AdesStealer
  AdesStealer is a modular stealer written in C#.
  stealer ades_stealer
- Ades_stealer family
  ades_stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Rokrat payload
- Detect Umbral payload
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Detected Xorist Ransomware
- Detects AdesStealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- DragonForce
  Ransomware family based on Lockbit that was first observed in November 2023.
  ransomware dragonforce
- Dragonforce family
  dragonforce
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- Masslogger family
  masslogger
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Rokrat
  Rokrat is a remote access trojan written in c++.
  rat rokrat
- Rokrat family
  rokrat
- Rule to detect Lockbit 3.0 ransomware Windows payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vipkeylogger family
  vipkeylogger
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- DCRat payload
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- ModiLoader Second Stage
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral4
- Target
  
  setup_x86_x64_install.exe
- Size
  
  3.5MB
- MD5
  
  fa2441ccd5d677b471a8d0c0b0436770
- SHA1
  
  88409a1a9bef3d372289ed2b58187789aba58e0e
- SHA256
  
  bd3791c8832bbcf0d4a88cb45a45628b44f9de773243109bd7b3dd0b2d950832
- SHA512
  
  afea757b6965cbf533a6af965e388e38eb63a4d4a8eb4e1b80a8400e88746e690f0f9eb7b37ebdda1feadc11199aa75c47eb6310cbeedddc90b16c7368f7bb67
- SSDEEP
  
  98304:y28y/bgumqItruMIdiSJvDQ6xgdKjrAr/W9:y2Tgumqy1AikP13D
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars vidar 706 jamesbig aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral5
- Target
  
  setup_installer.exe
- Size
  
  3.5MB
- MD5
  
  091e1f011b8b7f7cad3b8c5da34b6f1c
- SHA1
  
  2b69f901aceee32731309b67c0ebfd95e276ad34
- SHA256
  
  7eaca01fcbf91db047d9f5acbc2d192e396400919e6c33bcbb5076580e62554c
- SHA512
  
  c8da9f981b2104f578903feab3c98086dbc43b72132e2268e4f821d355dc6819025b6692718412d329c1812dd2d241582ed2ff7c943e4ec3fe81c0f306e10d04
- SSDEEP
  
  98304:xWCvLUBsgXr1AL/Hf1OjWrbUwDVe5ie3x7Qxw:xfLUCgXr1UffMWhe5l3xP
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars vidar 706 jamesbig aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral6