Overview
overview
10Static
static
80x00010000...55.exe
windows7_x64
10x00010000...55.exe
windows10_x64
10x00010000...47.exe
windows7_x64
10x00010000...47.exe
windows10_x64
10x00010000...70.exe
windows7_x64
80x00010000...70.exe
windows10_x64
80x00010000...13.exe
windows7_x64
80x00010000...13.exe
windows10_x64
80x00020000...73.exe
windows7_x64
10x00020000...73.exe
windows10_x64
10x00020000...83.exe
windows7_x64
100x00020000...83.exe
windows10_x64
100x00020000...36.exe
windows7_x64
80x00020000...36.exe
windows10_x64
80x00020000...40.exe
windows7_x64
70x00020000...40.exe
windows10_x64
70x00030000...09.exe
windows7_x64
100x00030000...09.exe
windows10_x64
100x00030000...22.exe
windows7_x64
100x00030000...22.exe
windows10_x64
100x00030000...26.exe
windows7_x64
100x00030000...26.exe
windows10_x64
0x00030000...34.exe
windows7_x64
100x00030000...34.exe
windows10_x64
100x00030000...06.exe
windows7_x64
100x00030000...06.exe
windows10_x64
100x00030000...41.exe
windows7_x64
100x00030000...41.exe
windows10_x64
100x00030000...45.exe
windows7_x64
10x00030000...45.exe
windows10_x64
10x00030000...48.exe
windows7_x64
80x00030000...48.exe
windows10_x64
8General
-
Target
Vr.rar
-
Size
9.0MB
-
Sample
201125-xeckn6wq3s
-
MD5
65db9d146bda563ec5749ec53091b2aa
-
SHA1
220b5f4edfb7310ed96020cdbac22f13911304ab
-
SHA256
cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681
-
SHA512
ddd8cc9178b2f5605d28dc6110bb23ba56209677c29089ee8977b11333ed677be8439183c1181f2d75b5ac97357aecf6d7fcc50748ac724e79ffd5f3a7aa46b3
Behavioral task
behavioral1
Sample
0x000100000001ab86-55.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0x000100000001ab86-55.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0x000100000001ab87-47.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
0x000100000001ab87-47.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
0x000100000001ab9c-70.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
0x000100000001ab9c-70.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
0x000100000001ad02-313.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
0x000100000001ad02-313.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
0x000200000001aca8-173.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
0x000200000001aca8-173.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
0x000200000001acb5-183.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
0x000200000001acb5-183.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
0x000200000001acdf-236.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
0x000200000001acdf-236.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
0x000200000001ace9-240.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
0x000200000001ace9-240.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
0x000300000001a5a2-209.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
0x000300000001a5a2-209.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
0x000300000001ac90-122.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
0x000300000001ac90-122.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
0x000300000001ac99-126.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
0x000300000001ac99-126.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
0x000300000001ac9e-134.exe
Resource
win7v20201028
Behavioral task
behavioral24
Sample
0x000300000001ac9e-134.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
0x000300000001ac9e-206.exe
Resource
win7v20201028
Behavioral task
behavioral26
Sample
0x000300000001ac9e-206.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
0x000300000001ac9f-141.exe
Resource
win7v20201028
Behavioral task
behavioral28
Sample
0x000300000001ac9f-141.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
0x000300000001acec-245.exe
Resource
win7v20201028
Behavioral task
behavioral30
Sample
0x000300000001acec-245.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
0x000300000001aced-248.exe
Resource
win7v20201028
Behavioral task
behavioral32
Sample
0x000300000001aced-248.exe
Resource
win10v20201028
Malware Config
Extracted
C:\_readme.txt
helpmanager@mail.ch
restoremanager@airmail.cc
https://we.tl/t-jydQMZP2Ie
Extracted
smokeloader
2020
http://vintrsi.com/upload/
http://woatdert.com/upload/
http://waruse.com/upload/
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Targets
-
-
Target
0x000100000001ab86-55.exe
-
Size
262KB
-
MD5
e2e9483568dc53f68be0b80c34fe27fb
-
SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9
-
SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37
-
SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e
Score1/10 -
-
-
Target
0x000100000001ab87-47.exe
-
Size
71KB
-
MD5
f0372ff8a6148498b19e04203dbb9e69
-
SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
-
SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
-
SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
Score1/10 -
-
-
Target
0x000100000001ab9c-70.exe
-
Size
977KB
-
MD5
5c6684e8c2b678de9e2776c6b50ddd72
-
SHA1
7d255100d811de745e6ee908d1e0f8ba4ff21add
-
SHA256
bb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc
-
SHA512
f627ca67610f9d5c137bdae8b3f8f6c08ff9162d12b3e30d3886c72aec047d34e31b5f0e17120dc99d71b0c316e43bb946fc5d40a9babec7229ce3a3c9292acb
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
0x000100000001ad02-313.exe
-
Size
620KB
-
MD5
7f1c0fe70e588f3bead08b64910b455e
-
SHA1
b0d78d67ee8a703e2c5dff5f50b34c504a91cfee
-
SHA256
4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4
-
SHA512
e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84
Score8/10-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
-
-
Target
0x000200000001aca8-173.exe
-
Size
61KB
-
MD5
a6279ec92ff948760ce53bba817d6a77
-
SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2
-
SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
-
SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
Score1/10 -
-
-
Target
0x000200000001acb5-183.exe
-
Size
10.2MB
-
MD5
6b32791ddadc54b2e770a881eb83c260
-
SHA1
d5815c8b204c47ebbb9f91c4f66e459e14136a32
-
SHA256
23cb1064049da1e64c231cacee9908d9c1aed6a57b786740361d206d14bd2973
-
SHA512
3a7334533bbcf4b1ad5b6200a9ef4c319a72ea06659e42c9b857e8e02c9115b04e63a61fb892f475456d53b907a7b7fe7fafb09d9e66cfc51481c2f170ac86fb
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
0x000200000001acdf-236.exe
-
Size
274KB
-
MD5
996ba35165bb62473d2a6743a5200d45
-
SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0
-
SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
-
SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634
Score8/10-
Drops file in Drivers directory
-
-
-
Target
0x000200000001ace9-240.exe
-
Size
602KB
-
MD5
637a8b78f4985a7807c6cdb238df4534
-
SHA1
01c47b02ec8b83a0a29590c2512c844318af8710
-
SHA256
87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95
-
SHA512
0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
JavaScript code in executable
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
0x000300000001a5a2-209.exe
-
Size
842KB
-
MD5
185749ffbb860d3e5b705b557d819702
-
SHA1
f09470a934d381cfc4e1504193eb58139061a645
-
SHA256
1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa
-
SHA512
0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
JavaScript code in executable
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
0x000300000001ac90-122.exe
-
Size
411KB
-
MD5
ceec23bdfaa35e0eeee0bb318f9d339f
-
SHA1
69337754824f165accef920ec90d25aae72da9ca
-
SHA256
e6ba7316c20de986784a205b13617c3c13ce4daa628a26d0c2d4bbf0fe7a21c6
-
SHA512
7d401409ab447ebbcd1412e192815a8f257e4fb947feb5f69834e4a97efa7031b4ff1fcd5f1d97277a465a96b12c78ef6ae79795e416cb14f4beb3dfa0bc6e47
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
0x000300000001ac99-126.exe
-
Size
300KB
-
MD5
ca58d4cf4a5e0725f844c8eae3f8ae67
-
SHA1
fbce92619ce23f4594846f2f789e513dab9f3239
-
SHA256
0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054
-
SHA512
32bdfc2e72fff79c075d5f9ead8268f1e9e0648635fd977f6d8db62358c48d5451b64e639b1853bd87220a1157e74754e1109b3f1797f98ef02d5151fb09f4a9
Score10/10-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
0x000300000001ac9e-134.exe
-
Size
311KB
-
MD5
fdde60834af109d71f4c7d28b865c8a1
-
SHA1
4f721105161b74e07b5ccd762d32932989bfb03a
-
SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
-
SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
JavaScript code in executable
-
Suspicious use of SetThreadContext
-
-
-
Target
0x000300000001ac9e-206.exe
-
Size
311KB
-
MD5
fdde60834af109d71f4c7d28b865c8a1
-
SHA1
4f721105161b74e07b5ccd762d32932989bfb03a
-
SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
-
SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Deletes itself
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
0x000300000001ac9f-141.exe
-
Size
19KB
-
MD5
5898d001eedb60a637f9334965e241a9
-
SHA1
59d543084a8230ac387dee45b027c47282256d02
-
SHA256
08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd
-
SHA512
d8be87bddd9f289597221d864370dfdd1ea94d2910837e211f34eec0fee56477672d98bd0565059389ff6d9ac79002f0ffa792feb84db02b18f432c6174e71e0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
0x000300000001acec-245.exe
-
Size
482KB
-
MD5
801a4e85faeb41919a0da6fa174ada04
-
SHA1
cf6a3be6cf3130a0d2a92ac9eec392e43029a06c
-
SHA256
23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd
-
SHA512
319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b
Score1/10 -
-
-
Target
0x000300000001aced-248.exe
-
Size
620KB
-
MD5
7f1c0fe70e588f3bead08b64910b455e
-
SHA1
b0d78d67ee8a703e2c5dff5f50b34c504a91cfee
-
SHA256
4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4
-
SHA512
e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84
Score8/10-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
4Bootkit
1Defense Evasion
Disabling Security Tools
2Modify Registry
7File Permissions Modification
1Install Root Certificate
2