Resubmissions
12-07-2021 16:55
210712-cvz622xsbj 1010-07-2021 13:25
210710-pdfh7kft96 1009-07-2021 23:00
210709-hewxkm1xlj 1009-07-2021 16:08
210709-5ql27kyjqa 1009-07-2021 14:08
210709-pt977a4bhe 1008-07-2021 22:09
210708-3ypfnj5j7x 1008-07-2021 13:30
210708-4hsk7y9f2x 1008-07-2021 12:14
210708-8t5f9z9egj 10Analysis
-
max time kernel
1800s -
max time network
1788s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-07-2021 23:00
General
-
Target
toolspab2 (1).exe
-
Size
315KB
-
MD5
585c257e0b345b762e7cdc407d8f9da2
-
SHA1
ffee403d97b76c3460fc166b9d5ce1205cd216a5
-
SHA256
4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
-
SHA512
14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Malware Config
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
Extracted
redline
82.202.161.37:26317
Extracted
vidar
39.4
824
https://sergeevih43.tumblr.com/
-
profile_id
824
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (1).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (1).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (1).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (1).exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\B3D5.exeC:\Users\Admin\AppData\Local\Temp\B3D5.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E4A.exeC:\Users\Admin\AppData\Local\Temp\E4A.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\EE7.exeC:\Users\Admin\AppData\Local\Temp\EE7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1198.exeC:\Users\Admin\AppData\Local\Temp\1198.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCript: clOSE ( CrEAteOBJect ("WscRIPt.ShELL" ). rUN ( "CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\1198.exe"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF """"=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\1198.exe"") do taskkill -f /Im ""%~nxs"" " , 0 , truE ) )2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\1198.exe" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\1198.exe") do taskkill -f /Im "%~nxs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCript: clOSE ( CrEAteOBJect ("WscRIPt.ShELL" ). rUN ( "CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""/PyPXDDGMMiEeTQRVIP2SQdwWi2M""=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"") do taskkill -f /Im ""%~nxs"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF "/PyPXDDGMMiEeTQRVIP2SQdwWi2M"=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE") do taskkill -f /Im "%~nxs"6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCrIpT: cLose ( CreAteObject( "wSCrIPt.ShelL" ). RUN ( "cMd /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = ""MZ"" > 0CZKPbA.~i © /Y /b 0CZKPBA.~i +HzMuGQn.ebg + 3KLPjZ48.1 + JBBP.aZ +jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S & dEl /Q * " ,0 , tRuE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = "MZ" >0CZKPbA.~i © /Y /b 0CZKPBA.~i +HzMuGQn.ebg + 3KLPjZ48.1 + JBBP.aZ +jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S& dEl /Q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>0CZKPbA.~i"7⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe ..\LphZr4.XZ /U -S7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "1198.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\13EA.exeC:\Users\Admin\AppData\Local\Temp\13EA.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 13EA.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\13EA.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 13EA.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\hjsscbjC:\Users\Admin\AppData\Roaming\hjsscbj1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\hjsscbjC:\Users\Admin\AppData\Roaming\hjsscbj2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\vtsscbjC:\Users\Admin\AppData\Roaming\vtsscbj1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 4762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
C:\Users\Admin\AppData\Roaming\hjsscbjC:\Users\Admin\AppData\Roaming\hjsscbj1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\hjsscbjC:\Users\Admin\AppData\Roaming\hjsscbj2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\hjsscbjC:\Users\Admin\AppData\Roaming\hjsscbj1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\hjsscbjC:\Users\Admin\AppData\Roaming\hjsscbj2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
696KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
656KB
-
Filesize
628KB
-
Filesize
36KB
-
Filesize
316KB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
108KB
-
Filesize
100KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
388KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
316KB
-
Filesize
1.3MB
-
Filesize
684KB
-
Filesize
608KB
-
Filesize
4KB
-
Filesize
940KB
-
Filesize
608KB
-
Filesize
708KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
48KB
-
Filesize
28KB