Resubmissions
15-10-2024 15:36
241015-s1zlzasdkc 1001-07-2024 18:32
240701-w6yteawhmq 1001-07-2024 14:52
240701-r82wmaxdnd 1001-07-2024 14:52
240701-r8syqa1dpp 1011-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 10Analysis
-
max time kernel
74s -
max time network
648s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
01-09-2021 05:12
General
-
Target
Setup (11).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
NORMAN2
C2
45.14.49.184:27587
Extracted
Family
redline
Botnet
mix01.09
C2
185.215.113.15:6043
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 21 IoCs
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (11).exe"C:\Users\Admin\AppData\Local\Temp\Setup (11).exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\nSF7XvJkkJM8Yz6VGfGOooEx.exe"C:\Users\Admin\Documents\nSF7XvJkkJM8Yz6VGfGOooEx.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\ejP4GSLsI8_E8zrOpapA_omX.exe"C:\Users\Admin\Documents\ejP4GSLsI8_E8zrOpapA_omX.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\ejP4GSLsI8_E8zrOpapA_omX.exe"C:\Users\Admin\Documents\ejP4GSLsI8_E8zrOpapA_omX.exe"3⤵
-
-
-
C:\Users\Admin\Documents\lnvDH_mbTtp5WsC2CQzVHz85.exe"C:\Users\Admin\Documents\lnvDH_mbTtp5WsC2CQzVHz85.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\38562513683.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\38562513683.exe"C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\38562513683.exe"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\91610868421.exe" /mix3⤵
-
C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\91610868421.exe"C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\91610868421.exe" /mix4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\42577349677.exe" /mix3⤵
-
C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\42577349677.exe"C:\Users\Admin\AppData\Local\Temp\{zqBn-iOpT0-9UCS-Jyyr0}\42577349677.exe" /mix4⤵
-
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exeapinesp.exe5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "lnvDH_mbTtp5WsC2CQzVHz85.exe" /f & erase "C:\Users\Admin\Documents\lnvDH_mbTtp5WsC2CQzVHz85.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "lnvDH_mbTtp5WsC2CQzVHz85.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\7xMdT_G370w5C6PLAN3Ibcj6.exe"C:\Users\Admin\Documents\7xMdT_G370w5C6PLAN3Ibcj6.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\xkuDGpGxNhlv15YWgSRP2dVF.exe"C:\Users\Admin\Documents\xkuDGpGxNhlv15YWgSRP2dVF.exe"2⤵
-
-
C:\Users\Admin\Documents\CC4QoECQCI76CNZVBIgkviJM.exe"C:\Users\Admin\Documents\CC4QoECQCI76CNZVBIgkviJM.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\mW2KHlMduL_1EBhHQ8EStJ1d.exe"C:\Users\Admin\Documents\mW2KHlMduL_1EBhHQ8EStJ1d.exe"2⤵
-
-
C:\Users\Admin\Documents\7wnFkvcw2iCIkvNWSYhre0WT.exe"C:\Users\Admin\Documents\7wnFkvcw2iCIkvNWSYhre0WT.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 8563⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exe"C:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exeC:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exe3⤵
-
-
C:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exeC:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exe3⤵
-
-
C:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exeC:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exe3⤵
-
-
C:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exeC:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exe3⤵
-
-
C:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exeC:\Users\Admin\Documents\uUvDGyq8PgyqCzwpyCtkaK7q.exe3⤵
-
-
-
C:\Users\Admin\Documents\lCI3dtFIlAPuIdVulhPZSmMy.exe"C:\Users\Admin\Documents\lCI3dtFIlAPuIdVulhPZSmMy.exe"2⤵
- Executes dropped EXE
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
-
-
-
-
C:\Users\Admin\Documents\0fdLNzXgcY1axRy1zovo_3eN.exe"C:\Users\Admin\Documents\0fdLNzXgcY1axRy1zovo_3eN.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\QwVVxRB0IfgtVWmU2KxPWotz.exe"C:\Users\Admin\Documents\QwVVxRB0IfgtVWmU2KxPWotz.exe"2⤵
-
-
C:\Users\Admin\Documents\YMJP7jfaZLK7I54h1mMJvZ0a.exe"C:\Users\Admin\Documents\YMJP7jfaZLK7I54h1mMJvZ0a.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\41320010464.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\41320010464.exe"C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\41320010464.exe"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\07562434075.exe" /mix3⤵
-
C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\07562434075.exe"C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\07562434075.exe" /mix4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\03002502984.exe" /mix3⤵
-
C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\03002502984.exe"C:\Users\Admin\AppData\Local\Temp\{9qR2-Op1qM-98Hi-CM9fa}\03002502984.exe" /mix4⤵
-
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exeapinesp.exe5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "YMJP7jfaZLK7I54h1mMJvZ0a.exe" /f & erase "C:\Users\Admin\Documents\YMJP7jfaZLK7I54h1mMJvZ0a.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "YMJP7jfaZLK7I54h1mMJvZ0a.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\jalklreknkPN5TB3FFgzi7AC.exe"C:\Users\Admin\Documents\jalklreknkPN5TB3FFgzi7AC.exe"2⤵
-
-
C:\Users\Admin\Documents\BZSVmwDvHXVZv7ZwF31CNc_2.exe"C:\Users\Admin\Documents\BZSVmwDvHXVZv7ZwF31CNc_2.exe"2⤵
-
-
C:\Users\Admin\Documents\4ph5pUiMHDMqdVEaUg1QoNLZ.exe"C:\Users\Admin\Documents\4ph5pUiMHDMqdVEaUg1QoNLZ.exe"2⤵
-
-
C:\Users\Admin\Documents\cJoWQPfkhhIVHfcUa7NqpM4m.exe"C:\Users\Admin\Documents\cJoWQPfkhhIVHfcUa7NqpM4m.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1LFCI.tmp\cJoWQPfkhhIVHfcUa7NqpM4m.tmp"C:\Users\Admin\AppData\Local\Temp\is-1LFCI.tmp\cJoWQPfkhhIVHfcUa7NqpM4m.tmp" /SL5="$3015E,138429,56832,C:\Users\Admin\Documents\cJoWQPfkhhIVHfcUa7NqpM4m.exe"3⤵
-
-
-
C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"2⤵
-
C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"3⤵
-
-
C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"3⤵
-
-
C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"C:\Users\Admin\Documents\XVLjN6S6dLbFLF1dM183RHa3.exe"3⤵
-
-
-
C:\Users\Admin\Documents\W8B99wTMjpBkboOuZuz5ddrv.exe"C:\Users\Admin\Documents\W8B99wTMjpBkboOuZuz5ddrv.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\6496936.exe"C:\Users\Admin\AppData\Roaming\6496936.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2360 -s 17164⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\1959355.exe"C:\Users\Admin\AppData\Roaming\1959355.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\2242044.exe"C:\Users\Admin\AppData\Roaming\2242044.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\1325376.exe"C:\Users\Admin\AppData\Roaming\1325376.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\7627877.exe"C:\Users\Admin\AppData\Roaming\7627877.exe"3⤵
-
-
-
C:\Users\Admin\Documents\vyz9HUu8BXeMHa4ZcxO_urog.exe"C:\Users\Admin\Documents\vyz9HUu8BXeMHa4ZcxO_urog.exe"2⤵
-
-
C:\Users\Admin\Documents\1iki0OtChXsrJdd4K0vUa5oC.exe"C:\Users\Admin\Documents\1iki0OtChXsrJdd4K0vUa5oC.exe"2⤵
-
-
C:\Users\Admin\Documents\KVblvzhqEW7dCBFvGUcy7BJq.exe"C:\Users\Admin\Documents\KVblvzhqEW7dCBFvGUcy7BJq.exe"2⤵
-
C:\Users\Admin\Documents\KVblvzhqEW7dCBFvGUcy7BJq.exe"C:\Users\Admin\Documents\KVblvzhqEW7dCBFvGUcy7BJq.exe" -u3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\C1AA.exeC:\Users\Admin\AppData\Local\Temp\C1AA.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
29.4MB
-
Filesize
860KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
25.5MB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
8KB
-
Filesize
844KB
-
Filesize
1.6MB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
9.1MB
-
Filesize
29.7MB
-
Filesize
828KB
-
Filesize
820KB
-
Filesize
44KB
-
Filesize
876KB
-
Filesize
88KB
-
Filesize
956KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
212KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
124KB