General
-
Target
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
-
Size
194KB
-
Sample
210816-gqaw327grn
-
MD5
ced17a3bd52eab4a5105c0e58945b9de
-
SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5
-
SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
-
SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
Static task
static1
Behavioral task
behavioral1
Sample
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Resource
win11
Behavioral task
behavioral3
Sample
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Resource
win10v20210408
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Targets
-
-
Target
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
-
Size
194KB
-
MD5
ced17a3bd52eab4a5105c0e58945b9de
-
SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5
-
SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
-
SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
-
Raccoon Stealer Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-