General
-
Target
A043A69DD5BC7B5E61D606F3A678D6C1.exe
-
Size
3.6MB
-
Sample
210324-bxsndadpwn
-
MD5
a043a69dd5bc7b5e61d606f3a678d6c1
-
SHA1
a8b6af2915fb93e9bc5c60e36551e09244471846
-
SHA256
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
-
SHA512
d107334a01cabf55692c79ea62c9b22cf596a5e3a099d9d2cb9160ba6eb42713a9946c5a0feeb8356d0b96e174f670b28c3554484b5f891d0ede111dbe0f173c
Static task
static1
Behavioral task
behavioral1
Sample
A043A69DD5BC7B5E61D606F3A678D6C1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
A043A69DD5BC7B5E61D606F3A678D6C1.exe
Resource
win10v20201028
Malware Config
Extracted
smokeloader
2020
http://funzel.info/upload/
http://doeros.xyz/upload/
http://vromus.com/upload/
http://hqans.com/upload/
http://vxeudy.com/upload/
http://poderoa.com/upload/
http://nezzzo.com/upload/
Extracted
fickerstealer
lukkeze.club:80
Extracted
raccoon
2ce901d964b370c5ccda7e4d68354ba040db8218
-
url4cnc
https://telete.in/tomarsjsmith3
Extracted
raccoon
c46f13f8aadc028907d65c627fd9163161661f6c
-
url4cnc
https://telete.in/capibar
Extracted
cryptbot
bazfr32.top
morwhy03.top
-
payload_url
http://akrvt04.top/download.php?file=lv.exe
Extracted
icedid
1319278762
213podellkk.website
Extracted
redline
white
whitegarden.top:80
Targets
-
-
Target
A043A69DD5BC7B5E61D606F3A678D6C1.exe
-
Size
3.6MB
-
MD5
a043a69dd5bc7b5e61d606f3a678d6c1
-
SHA1
a8b6af2915fb93e9bc5c60e36551e09244471846
-
SHA256
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
-
SHA512
d107334a01cabf55692c79ea62c9b22cf596a5e3a099d9d2cb9160ba6eb42713a9946c5a0feeb8356d0b96e174f670b28c3554484b5f891d0ede111dbe0f173c
-
CryptBot Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
IcedID First Stage Loader
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-