Overview
overview
10Static
static
8197f0e170f...2a.exe
windows7_x64
9197f0e170f...2a.exe
windows10_x64
9302d77c6ec...56.exe
windows7_x64
8302d77c6ec...56.exe
windows10_x64
8466d872ddb...0d.exe
windows7_x64
8466d872ddb...0d.exe
windows10_x64
106d13a07022...f4.exe
windows7_x64
86d13a07022...f4.exe
windows10_x64
88c1d1de824...ef.exe
windows7_x64
18c1d1de824...ef.exe
windows10_x64
1a31f1894f1...b8.exe
windows7_x64
8a31f1894f1...b8.exe
windows10_x64
9a3802c3a05...6d.exe
windows7_x64
10a3802c3a05...6d.exe
windows10_x64
10Android APK
android_x86_64
10c6c0d4969a...36.exe
windows7_x64
1c6c0d4969a...36.exe
windows10_x64
1d92ef7281e...1a.exe
windows7_x64
1d92ef7281e...1a.exe
windows10_x64
1dffb2eaccb...3a.exe
windows7_x64
8dffb2eaccb...3a.exe
windows10_x64
8e247b061c8...b1.exe
windows7_x64
8e247b061c8...b1.exe
windows10_x64
8Analysis
-
max time kernel
38s -
max time network
104s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-11-2020 02:32
Static task
static1
Behavioral task
behavioral1
Sample
197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
af82bed2c58c403908faf323310cf6a65a7e3bfe098cc930eb5ac4bfe9315ef4.apk
Resource
android-x86_64
Behavioral task
behavioral16
Sample
c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536.exe
Resource
win7v20201028
Behavioral task
behavioral17
Sample
c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a.exe
Resource
win7v20201028
Behavioral task
behavioral19
Sample
d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a.exe
Resource
win7v20201028
Behavioral task
behavioral21
Sample
dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1.exe
Resource
win7v20201028
Behavioral task
behavioral23
Sample
e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1.exe
Resource
win10v20201028
General
-
Target
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
-
Size
590KB
-
MD5
6611edb58235884e8499d12cdfa808be
-
SHA1
7d1f2d13c59930dbb8e2547f3748215da9f20ee9
-
SHA256
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d
-
SHA512
283769a041c725cfca6501b47979d8a51695535f701dca45d0c444a5e0d903e40a19ca98adc26f54998f2a4c27b9772bd821196c19f2b6ba485c837d79c803c2
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Processes:
resource yara_rule behavioral13/memory/868-10-0x0000000000400000-0x0000000000426000-memory.dmp agent_tesla behavioral13/memory/868-11-0x000000000042040E-mapping.dmp agent_tesla behavioral13/memory/868-13-0x0000000000400000-0x0000000000426000-memory.dmp agent_tesla behavioral13/memory/868-14-0x0000000000400000-0x0000000000426000-memory.dmp agent_tesla -
Executes dropped EXE 3 IoCs
Processes:
BubbleBrowser.exeBubbleBrowser.exeBubbleBrowser.exepid process 1532 BubbleBrowser.exe 544 BubbleBrowser.exe 868 BubbleBrowser.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 checkip.amazonaws.com -
Modifies service 2 TTPs 1 IoCs
Processes:
BubbleBrowser.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names\e7zeFS5HxNsTpdXMr5DJXBqXQczNkbu649p1gca3Uj45R6oqE8FAflup0QDJGbLritV7GnywGZmIBovHWFlH4VKawyYj8etBOOSnT2SUCRwCKVPvjpc15l = "868" BubbleBrowser.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BubbleBrowser.exedescription pid process target process PID 1532 set thread context of 868 1532 BubbleBrowser.exe BubbleBrowser.exe -
Processes:
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
BubbleBrowser.exeBubbleBrowser.exepid process 1532 BubbleBrowser.exe 1532 BubbleBrowser.exe 868 BubbleBrowser.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BubbleBrowser.exeBubbleBrowser.exedescription pid process Token: SeDebugPrivilege 1532 BubbleBrowser.exe Token: SeDebugPrivilege 868 BubbleBrowser.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exeBubbleBrowser.exeBubbleBrowser.execmd.exedescription pid process target process PID 1744 wrote to memory of 1532 1744 a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe BubbleBrowser.exe PID 1744 wrote to memory of 1532 1744 a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe BubbleBrowser.exe PID 1744 wrote to memory of 1532 1744 a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe BubbleBrowser.exe PID 1744 wrote to memory of 1532 1744 a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe BubbleBrowser.exe PID 1532 wrote to memory of 544 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 544 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 544 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 544 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 1532 wrote to memory of 868 1532 BubbleBrowser.exe BubbleBrowser.exe PID 868 wrote to memory of 1576 868 BubbleBrowser.exe cmd.exe PID 868 wrote to memory of 1576 868 BubbleBrowser.exe cmd.exe PID 868 wrote to memory of 1576 868 BubbleBrowser.exe cmd.exe PID 868 wrote to memory of 1576 868 BubbleBrowser.exe cmd.exe PID 1576 wrote to memory of 816 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 816 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 816 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 816 1576 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe"C:\Users\Admin\AppData\Local\Temp\a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Roaming\BubbleBrowser.exeC:\Users\Admin\AppData\Roaming\BubbleBrowser.exe daut2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"3⤵
- Executes dropped EXE
PID:544
-
-
C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"3⤵
- Executes dropped EXE
- Modifies service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
PID:816
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
11d71c92fb114168431892a73963cb15
SHA16467448f5b6dfb4f0cd77e218e6e4bfbe8a61696
SHA25618f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94
SHA512e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be
-
MD5
11d71c92fb114168431892a73963cb15
SHA16467448f5b6dfb4f0cd77e218e6e4bfbe8a61696
SHA25618f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94
SHA512e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be
-
MD5
11d71c92fb114168431892a73963cb15
SHA16467448f5b6dfb4f0cd77e218e6e4bfbe8a61696
SHA25618f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94
SHA512e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be
-
MD5
11d71c92fb114168431892a73963cb15
SHA16467448f5b6dfb4f0cd77e218e6e4bfbe8a61696
SHA25618f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94
SHA512e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be