General
-
Target
daa924a51f13b11f37dac4ed05098052357d6c78816e121c9105c118692bd1a2
-
Size
247KB
-
Sample
210907-a7m8eaeghm
-
MD5
207bb33577d0f8f3831a45858138d96b
-
SHA1
7a4f99fa0a75a6ddcab1901de445b3b2f4ea3267
-
SHA256
daa924a51f13b11f37dac4ed05098052357d6c78816e121c9105c118692bd1a2
-
SHA512
09b757069da156ffcb046ffb88562ef216b14a00ad125c8f8bdf4024a35158fe98dadff9b549e7ed933796a70594a4f4f3d65eedbd9506ae658c2fdb81f035ed
Static task
static1
Behavioral task
behavioral1
Sample
daa924a51f13b11f37dac4ed05098052357d6c78816e121c9105c118692bd1a2.exe
Resource
win10-en
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Extracted
redline
45.14.49.232:14970
Extracted
njrat
62.33.159.162:5674
26c50014115b430
-
reg_key
26c50014115b430
-
splitter
@!#&^%$
Extracted
raccoon
c0a9feb2a4e39ae5dc9126aeda03d4a8d900a1bf
-
url4cnc
https://telete.in/hotcarzooncon
Extracted
asyncrat
0.5.7B
null:null
AsyncMutex_6SI8OkPnk
-
aes_key
8FA9JRFjWXueotm7qWCj4Zax4AHfQdgS
-
anti_detection
true
-
autorun
true
-
bdos
false
-
delay
Default
-
host
null
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
https://pastebin.com/raw/JBB6AAZb
-
port
null
-
version
0.5.7B
Extracted
quasar
1.4.0
Office04
8.tcp.ngrok.io:12199
77e1716f-a8ee-4809-837a-f0b960ec437d
-
encryption_key
66E7B222E349FE5DA72098D60610AEAB3132B98F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
daa924a51f13b11f37dac4ed05098052357d6c78816e121c9105c118692bd1a2
-
Size
247KB
-
MD5
207bb33577d0f8f3831a45858138d96b
-
SHA1
7a4f99fa0a75a6ddcab1901de445b3b2f4ea3267
-
SHA256
daa924a51f13b11f37dac4ed05098052357d6c78816e121c9105c118692bd1a2
-
SHA512
09b757069da156ffcb046ffb88562ef216b14a00ad125c8f8bdf4024a35158fe98dadff9b549e7ed933796a70594a4f4f3d65eedbd9506ae658c2fdb81f035ed
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
2Disabling Security Tools
1Virtualization/Sandbox Evasion
1