General
-
Target
5e71b81ed4b3da511193fdd39d163eaebaa6c82c73b5a03512fdc4a70a57c744
-
Size
223KB
-
Sample
210906-g827aadffp
-
MD5
77dd61d9cf1be9397b73c17d6e935c51
-
SHA1
753d2bf827ddc8ae76d4eedcd970bf2c563cf708
-
SHA256
5e71b81ed4b3da511193fdd39d163eaebaa6c82c73b5a03512fdc4a70a57c744
-
SHA512
5454359f295a329136d001ebb8e3f52c6cb887e3ecdd2bce637a88653c0e6b84acadf55472a5280508b1976806d8b2acf09cdd43bb1e5952a9dbbd6cfbe0c428
Static task
static1
Behavioral task
behavioral1
Sample
5e71b81ed4b3da511193fdd39d163eaebaa6c82c73b5a03512fdc4a70a57c744.exe
Resource
win10v20210408
Malware Config
Extracted
smokeloader
2020
http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
Extracted
redline
newnew
185.167.97.37:30904
Extracted
vidar
40.4
936
https://romkaxarit.tumblr.com/
-
profile_id
936
Extracted
raccoon
fe582536ec580228180f270f7cb80a867860e010
-
url4cnc
https://telete.in/xylichanjk
Extracted
redline
200
45.14.49.28:56898
Extracted
vidar
40.4
948
https://romkaxarit.tumblr.com/
-
profile_id
948
Extracted
vidar
40.4
937
https://romkaxarit.tumblr.com/
-
profile_id
937
Extracted
metasploit
windows/single_exec
Extracted
vidar
40.4
973
https://romkaxarit.tumblr.com/
-
profile_id
973
Targets
-
-
Target
5e71b81ed4b3da511193fdd39d163eaebaa6c82c73b5a03512fdc4a70a57c744
-
Size
223KB
-
MD5
77dd61d9cf1be9397b73c17d6e935c51
-
SHA1
753d2bf827ddc8ae76d4eedcd970bf2c563cf708
-
SHA256
5e71b81ed4b3da511193fdd39d163eaebaa6c82c73b5a03512fdc4a70a57c744
-
SHA512
5454359f295a329136d001ebb8e3f52c6cb887e3ecdd2bce637a88653c0e6b84acadf55472a5280508b1976806d8b2acf09cdd43bb1e5952a9dbbd6cfbe0c428
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-