Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-08-2021 13:56
General
-
Target
b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe
-
Size
277KB
-
MD5
417141e9d2e0fed64579e7ae12507eac
-
SHA1
51142084ed69f120bd232ee82aebb7aa45382359
-
SHA256
b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3
-
SHA512
bc15667948b9afce15a8f8142f06c5a60f75827a5ca0bd1e4790cd92de76adfa4de15a3c3bff0eac6663f7e2df9c42a1635d67d73f86905a77dff70ba0064c52
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe"C:\Users\Admin\AppData\Local\Temp\b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\15D2.exeC:\Users\Admin\AppData\Local\Temp\15D2.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\15D2.exeMD5
1f6e49e83b13758948915b43fb388a94
SHA1c38876024e6e3cf46f804fc3d0aca553a263ffaf
SHA256624cfab55296eb7e9d73d9478455f96d4861ca92d45677909a7f2fb8532b1f63
SHA512462ed0fe61a8884bc337f7f970ab29c5e3b9dbe29a075fa385630febebfc8d0c0075cec46f4138c89667d4320c63fe296ec48fe6e82a895c02c33ea3441ca85f
-
memory/432-64-0x0000000000000000-mapping.dmp
-
memory/432-68-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/432-70-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1288-63-0x0000000002D50000-0x0000000002D66000-memory.dmpFilesize
88KB
-
memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1420-61-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1420-62-0x0000000000400000-0x00000000023AF000-memory.dmpFilesize
31.7MB