Overview
overview
10Static
static
80x00030000...22.exe
windows7_x64
0x00030000...22.exe
windows10_x64
100x00030000...35.exe
windows7_x64
100x00030000...35.exe
windows10_x64
70x00030000...41.exe
windows7_x64
80x00030000...41.exe
windows10_x64
80x00030000...61.exe
windows7_x64
100x00030000...61.exe
windows10_x64
100x00030000...51.exe
windows7_x64
100x00030000...51.exe
windows10_x64
100x00030000...56.exe
windows7_x64
100x00030000...56.exe
windows10_x64
100x00030000...88.exe
windows7_x64
10x00030000...88.exe
windows10_x64
10x00040000...27.exe
windows7_x64
100x00040000...27.exe
windows10_x64
100x00040000...63.exe
windows7_x64
0x00040000...63.exe
windows10_x64
10General
-
Target
Downloads.rar
-
Size
5.7MB
-
Sample
210708-5s29gx8mxn
-
MD5
d7ac6255dcc76334eb48080563b56cc8
-
SHA1
b07031f2073b70a91834e9e40e0a4faa35092a81
-
SHA256
a9db37183a4d7898d4ef820075d9fb5cdef55b47644cc5465b5e012c9a52b2fe
-
SHA512
f8c3ff7c33d4f8d47074ddc79bc946d962723cf498c4b1ef9f663e7d89e109498336a5206b230c4b4df4d95d2e338468c776ce24eebf82aeb8c55471f863eeff
Static task
static1
Behavioral task
behavioral1
Sample
0x00030000000130db-122.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0x00030000000130db-122.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
0x00030000000130dc-135.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
0x00030000000130dc-135.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
0x00030000000130dd-141.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
0x00030000000130dd-141.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
0x00030000000130de-161.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
0x00030000000130de-161.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
0x00030000000130df-151.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
0x00030000000130df-151.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
0x00030000000130e1-156.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
0x00030000000130e1-156.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
0x000300000001310b-88.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
0x000300000001310b-88.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
0x00040000000130bf-127.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
0x00040000000130bf-127.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
0x00040000000130e0-63.exe
Resource
win7v20210408
Malware Config
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Extracted
vidar
39.4
865
https://sergeevih43.tumblr.com
-
profile_id
865
Extracted
redline
SEL7
kathonaror.xyz:80
Extracted
redline
706
edraquakwa.xyz:80
Extracted
redline
New
qurigoraka.xyz:80
Extracted
C:\_readme.txt
manager@mailtemp.ch
helpmanager@airmail.cc
https://we.tl/t-mNr1oio2P6
Extracted
redline
07_07_r
xtarweanda.xyz:80
Extracted
metasploit
windows/single_exec
Extracted
redline
ServAni
87.251.71.195:82
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com
-
profile_id
706
Targets
-
-
Target
0x00030000000130db-122.exe
-
Size
345KB
-
MD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb
-
SHA1
d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
-
SHA256
d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
-
SHA512
d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
-
-
Target
0x00030000000130dc-135.exe
-
Size
680KB
-
MD5
7837314688b7989de1e8d94f598eb2dd
-
SHA1
889ae8ce433d5357f8ea2aff64daaba563dc94e3
-
SHA256
d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
-
SHA512
3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
0x00030000000130dd-141.exe
-
Size
972KB
-
MD5
5668cb771643274ba2c375ec6403c266
-
SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9
-
SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
-
SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
0x00030000000130de-161.exe
-
Size
174KB
-
MD5
f12aa4983f77ed85b3a618f7656807c2
-
SHA1
ab29f2221d590d03756d89e63cf2802ee31ecbcf
-
SHA256
5db1d9e50f0e0e0ba0b15920e65a1b9e3b61bcc03d5930870e0b226b600a72e2
-
SHA512
9074af27996a11e988be7147cf387d8952b515d070ff49fec22f0e5b2d374563204eda56319447d9b5f49f056be1475f0a1a2c501fdf1a769d7d8a8077ccba8b
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
0x00030000000130df-151.exe
-
Size
773KB
-
MD5
a0b06be5d5272aa4fcf2261ed257ee06
-
SHA1
596c955b854f51f462c26b5eb94e1b6161aad83c
-
SHA256
475d0beeadca13ecdfd905c840297e53ad87731dc911b324293ee95b3d8b700b
-
SHA512
1eb6b9df145b131d03224e9bb7ed3c6cc87044506d848be14d3e4c70438e575dbbd2a0964b176281b1307469872bd6404873974475cd91eb6f7534d16ceff702
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
0x00030000000130e1-156.exe
-
Size
380KB
-
MD5
b0486bfc2e579b49b0cacee12c52469c
-
SHA1
ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
-
SHA256
9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
-
SHA512
b7f55e346830e2a2ed99bd57bfd0cb66221675a6b0b23d35e5d7fac5eee0c3dfc771eed5fed410c2063410e048fe41765c880ebf0a48137f9135cf1d65951075
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
0x000300000001310b-88.exe
-
Size
290KB
-
MD5
843e8bb487aa489044ec65dbb7393105
-
SHA1
25de66c3300e54b3fe1ddb450c2974a26d2b4b45
-
SHA256
0379c582a742ae0a4dfb98313d205f3b84fd493388635cefe1ccc0e96d40fb0b
-
SHA512
2f4ead7d5e44152aeb752e481cda28034d5e8b4c1c92dade0566a519d8ffe2f308f9031ebcc39f042907e509ae2f666e1289b42a9a515b4f4c0a5f30e6d3d80f
Score1/10 -
-
-
Target
0x00040000000130bf-127.exe
-
Size
686KB
-
MD5
a957a80658f31c8fc864755deb2a0ca7
-
SHA1
8692ad674194f0901ee776ba99704f061babda95
-
SHA256
99117569330d3694ed281e0c5414c23aa33a5eb370494febb267925dd4a62208
-
SHA512
b46056d3971718a7770fef54d8a2af34363eb2e785f5506e9cb261c331954d12b810e46b297ebb98ccdf7f9bde73290d46491aa7a3276bdef51869651f7105af
-
Vidar Stealer
-
Downloads MZ/PE file
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
0x00040000000130e0-63.exe
-
Size
3.1MB
-
MD5
22b4d432a671c3f71aa1e32065f81161
-
SHA1
9a18ff96ad8bf0f3133057c8047c10d0d205735e
-
SHA256
4c61aeec3fa5cbd6e8cd19272d28a1e07a8ac96e3fd8b2343791ed2521dd3028
-
SHA512
c0af739ec9a93978c8c25ad05a2c0826a8320a9ac007bbd36f6846053bc8d434e23a6edf19d1666767fd7ad404532983604fd7774cf18940f7541616700be523
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
5Bootkit
1Modify Existing Service
4New Service
2BITS Jobs
2Defense Evasion
File Permissions Modification
3Modify Registry
14Install Root Certificate
6Disabling Security Tools
3Virtualization/Sandbox Evasion
2BITS Jobs
2