Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-08-2021 13:56
General
-
Target
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe
-
Size
280KB
-
MD5
c1c301d9b0ba8ba056707f2d2c82bd9d
-
SHA1
d70353b58f0576138abdf8dcac5064358a379305
-
SHA256
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9
-
SHA512
1894b720c731c3f4dc90e42d98690bad2acaf6669fe7334064187bc4c21c662894447e635d76a9d06542e13529d56c1b0902585b47537ff04ece1669bb73b8f0
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe"C:\Users\Admin\AppData\Local\Temp\23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1F4.exeC:\Users\Admin\AppData\Local\Temp\1F4.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1F4.exeMD5
1f6e49e83b13758948915b43fb388a94
SHA1c38876024e6e3cf46f804fc3d0aca553a263ffaf
SHA256624cfab55296eb7e9d73d9478455f96d4861ca92d45677909a7f2fb8532b1f63
SHA512462ed0fe61a8884bc337f7f970ab29c5e3b9dbe29a075fa385630febebfc8d0c0075cec46f4138c89667d4320c63fe296ec48fe6e82a895c02c33ea3441ca85f
-
memory/1176-63-0x0000000002E60000-0x0000000002E76000-memory.dmpFilesize
88KB
-
memory/1660-64-0x0000000000000000-mapping.dmp
-
memory/1660-68-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/1660-70-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/1672-60-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1672-61-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1672-62-0x0000000000400000-0x00000000023B1000-memory.dmpFilesize
31.7MB