General
-
Target
879BFA00324F6E16B5A74B8982649874.exe
-
Size
3.9MB
-
Sample
210322-d6461s7m2a
-
MD5
879bfa00324f6e16b5a74b8982649874
-
SHA1
672f9fabe5febcee206b11a3e9f813c2ff338987
-
SHA256
03d1832abf518c028cf76057aa8ae09773be84840bff607e0c09da8d0d9f3e41
-
SHA512
669e6339b37e69875ab02caf103645ba3cfd04c007e38b9242bbbef11366061e7680c31c76fcca35aa9bb7703bc0e52410f84d479ecb3992a3780bf117fe2049
Static task
static1
Behavioral task
behavioral1
Sample
879BFA00324F6E16B5A74B8982649874.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
879BFA00324F6E16B5A74B8982649874.exe
Resource
win10v20201028
Malware Config
Extracted
smokeloader
2020
http://funzel.info/upload/
http://doeros.xyz/upload/
http://vromus.com/upload/
http://hqans.com/upload/
http://vxeudy.com/upload/
http://poderoa.com/upload/
http://nezzzo.com/upload/
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Extracted
redline
FB NEW TEST
94.103.94.239:3214
Extracted
metasploit
windows/single_exec
Extracted
icedid
1336056381
fsikiolker.uno
Extracted
redline
server
185.250.148.227:80
Extracted
raccoon
2ce901d964b370c5ccda7e4d68354ba040db8218
-
url4cnc
https://telete.in/tomarsjsmith3
Extracted
cryptbot
basfs12.top
mormsd01.top
-
payload_url
http://akmes01.top/download.php?file=lv.exe
Targets
-
-
Target
879BFA00324F6E16B5A74B8982649874.exe
-
Size
3.9MB
-
MD5
879bfa00324f6e16b5a74b8982649874
-
SHA1
672f9fabe5febcee206b11a3e9f813c2ff338987
-
SHA256
03d1832abf518c028cf76057aa8ae09773be84840bff607e0c09da8d0d9f3e41
-
SHA512
669e6339b37e69875ab02caf103645ba3cfd04c007e38b9242bbbef11366061e7680c31c76fcca35aa9bb7703bc0e52410f84d479ecb3992a3780bf117fe2049
-
CryptBot Payload
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
IcedID First Stage Loader
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-