Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
24-09-2021 21:06
General
-
Target
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe
-
Size
287KB
-
MD5
6cbf95206889d06445d284b862cf18bf
-
SHA1
c85b2f93e81da0d5759f195afdf91a645343fe5d
-
SHA256
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143
-
SHA512
45d81eddf9e9c38ed9b8ec6510b6b34c752c5ccc01e22028549ef19921308a8531dbb8c5f9f79833e5df350dd47dc2a3edd430926d45f4f1f31fd329c50393e4
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
2k superstar
185.244.180.224:39957
Extracted
raccoon
5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4
-
url4cnc
https://t.me/agrybirdsgamerept
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 10 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\1006.exeC:\Users\Admin\AppData\Local\Temp\1006.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\140D.exeC:\Users\Admin\AppData\Local\Temp\140D.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\195B.exeC:\Users\Admin\AppData\Local\Temp\195B.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4266f72b05afa83f395e890b76eadf69
SHA1489386ba56760821f6e35712028410da476fe258
SHA2566b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
MD5
1d16e9a8731a898b05829797b937c57d
SHA1fc08c31f5581a1cee371131ec28f02fde864562c
SHA2564237784e386651ca80bf952a1cb3affb27d33ce897336516cc0eca0896eb5bdc
SHA51289a432eaaaf0ee07a1d76f27b6d6d06e99b5850e087d07e1f115dc4c7147a69423cf4922b5337cdf6e18e13c4eda125d0fa640b89391375bc8a89e5649c69a8a
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
Filesize
39.8MB
-
Filesize
576KB
-
-
-
Filesize
524KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
280KB
-
Filesize
316KB
-
Filesize
20KB
-
Filesize
312KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
39.6MB
-
Filesize
192KB
-