General
-
Target
SecuriteInfo.com.Trojan.Siggen12.58144.411.8319
-
Size
8KB
-
Sample
210327-t8l1g1fds6
-
MD5
5a240bb6dcd0af07ba295025c2624d1a
-
SHA1
3e0d3be59c87628cedb99efb43b0d85ab1451b83
-
SHA256
2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122
-
SHA512
d838de728116c0feb5d6e6798264a023e63caba85dbbea376866ef7ac7031d3febd557bdd3fac5c7054e40cc78300d79e861158a360f184b71e32b497de3d32d
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen12.58144.411.8319.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Siggen12.58144.411.8319.exe
Resource
win10v20201028
Malware Config
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Targets
-
-
Target
SecuriteInfo.com.Trojan.Siggen12.58144.411.8319
-
Size
8KB
-
MD5
5a240bb6dcd0af07ba295025c2624d1a
-
SHA1
3e0d3be59c87628cedb99efb43b0d85ab1451b83
-
SHA256
2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122
-
SHA512
d838de728116c0feb5d6e6798264a023e63caba85dbbea376866ef7ac7031d3febd557bdd3fac5c7054e40cc78300d79e861158a360f184b71e32b497de3d32d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-