Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    25-09-2021 12:01

General

  • Target

    71120847eff09db71c9795b44128a24a.exe

  • Size

    149KB

  • MD5

    71120847eff09db71c9795b44128a24a

  • SHA1

    1a63abea5fbfb65d786aee239428a06c74f8051e

  • SHA256

    8350538160b089becbb7142d16ecf8089b16fbf11ead40dc1169a9e6104c0304

  • SHA512

    2ba08567743f79daaea72cfefa971cf2983dd0484e654a5e85cf1bd03f9219bcb3e6c85ca1fc2592bba99c511370e2869be25775e2c9b6579a55a711ed9b361b

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

228

C2

159.69.123.122:23857

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • BitRAT Payload 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

  • Executes dropped EXE 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71120847eff09db71c9795b44128a24a.exe
    "C:\Users\Admin\AppData\Local\Temp\71120847eff09db71c9795b44128a24a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\71120847eff09db71c9795b44128a24a.exe
      "C:\Users\Admin\AppData\Local\Temp\71120847eff09db71c9795b44128a24a.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1984
  • C:\Users\Admin\AppData\Local\Temp\1370.exe
    C:\Users\Admin\AppData\Local\Temp\1370.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\1370.exe
      C:\Users\Admin\AppData\Local\Temp\1370.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:656
  • C:\Users\Admin\AppData\Local\Temp\1B4D.exe
    C:\Users\Admin\AppData\Local\Temp\1B4D.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:704
    • C:\Users\Admin\AppData\Local\Temp\1B4D.exe
      C:\Users\Admin\AppData\Local\Temp\1B4D.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1370.exe
    MD5

    d347bf10b61b6f65674ac3e4f226afea

    SHA1

    e42d1bb38608e3550d93e0282421b46523391cdc

    SHA256

    27849ddf81f2357a15b936f3a44c3f91646c530c415040d3c3f33d97c674192c

    SHA512

    288ecd86514f3119f3df5c779de98489e31edec9dc780f4b941cc0f2e052fe56e709ba0428ab6b6f38da5eb2fdc1720c606df03f64301c4d2ede08c439f70780

  • C:\Users\Admin\AppData\Local\Temp\1370.exe
    MD5

    d347bf10b61b6f65674ac3e4f226afea

    SHA1

    e42d1bb38608e3550d93e0282421b46523391cdc

    SHA256

    27849ddf81f2357a15b936f3a44c3f91646c530c415040d3c3f33d97c674192c

    SHA512

    288ecd86514f3119f3df5c779de98489e31edec9dc780f4b941cc0f2e052fe56e709ba0428ab6b6f38da5eb2fdc1720c606df03f64301c4d2ede08c439f70780

  • C:\Users\Admin\AppData\Local\Temp\1370.exe
    MD5

    d347bf10b61b6f65674ac3e4f226afea

    SHA1

    e42d1bb38608e3550d93e0282421b46523391cdc

    SHA256

    27849ddf81f2357a15b936f3a44c3f91646c530c415040d3c3f33d97c674192c

    SHA512

    288ecd86514f3119f3df5c779de98489e31edec9dc780f4b941cc0f2e052fe56e709ba0428ab6b6f38da5eb2fdc1720c606df03f64301c4d2ede08c439f70780

  • C:\Users\Admin\AppData\Local\Temp\1B4D.exe
    MD5

    cbf81c03578922e3b7137fbfd87c76c4

    SHA1

    0383a6790f9ace2b1995fd8949490a55596bada3

    SHA256

    7d07881122ad5aec22af11527ade597fd66bd3820ca048cdb0c81337ded7e4bd

    SHA512

    424fdd2682b5f0a8849ed1885dec3a8a3b38a6da4cd2630f439774e6478279821920ad206e906b645793ad4160ffabff19db728f55c3f859e161d44707585f07

  • C:\Users\Admin\AppData\Local\Temp\1B4D.exe
    MD5

    cbf81c03578922e3b7137fbfd87c76c4

    SHA1

    0383a6790f9ace2b1995fd8949490a55596bada3

    SHA256

    7d07881122ad5aec22af11527ade597fd66bd3820ca048cdb0c81337ded7e4bd

    SHA512

    424fdd2682b5f0a8849ed1885dec3a8a3b38a6da4cd2630f439774e6478279821920ad206e906b645793ad4160ffabff19db728f55c3f859e161d44707585f07

  • C:\Users\Admin\AppData\Local\Temp\1B4D.exe
    MD5

    cbf81c03578922e3b7137fbfd87c76c4

    SHA1

    0383a6790f9ace2b1995fd8949490a55596bada3

    SHA256

    7d07881122ad5aec22af11527ade597fd66bd3820ca048cdb0c81337ded7e4bd

    SHA512

    424fdd2682b5f0a8849ed1885dec3a8a3b38a6da4cd2630f439774e6478279821920ad206e906b645793ad4160ffabff19db728f55c3f859e161d44707585f07

  • \Users\Admin\AppData\Local\Temp\1370.exe
    MD5

    d347bf10b61b6f65674ac3e4f226afea

    SHA1

    e42d1bb38608e3550d93e0282421b46523391cdc

    SHA256

    27849ddf81f2357a15b936f3a44c3f91646c530c415040d3c3f33d97c674192c

    SHA512

    288ecd86514f3119f3df5c779de98489e31edec9dc780f4b941cc0f2e052fe56e709ba0428ab6b6f38da5eb2fdc1720c606df03f64301c4d2ede08c439f70780

  • \Users\Admin\AppData\Local\Temp\1B4D.exe
    MD5

    cbf81c03578922e3b7137fbfd87c76c4

    SHA1

    0383a6790f9ace2b1995fd8949490a55596bada3

    SHA256

    7d07881122ad5aec22af11527ade597fd66bd3820ca048cdb0c81337ded7e4bd

    SHA512

    424fdd2682b5f0a8849ed1885dec3a8a3b38a6da4cd2630f439774e6478279821920ad206e906b645793ad4160ffabff19db728f55c3f859e161d44707585f07

  • memory/572-75-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

  • memory/572-80-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

  • memory/572-76-0x000000000068A488-mapping.dmp
  • memory/656-68-0x000000000041C5D6-mapping.dmp
  • memory/656-67-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

  • memory/656-70-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

  • memory/656-72-0x00000000048A0000-0x00000000048A1000-memory.dmp
    Filesize

    4KB

  • memory/704-79-0x0000000002360000-0x0000000002725000-memory.dmp
    Filesize

    3.8MB

  • memory/704-65-0x0000000000000000-mapping.dmp
  • memory/1384-57-0x00000000025A0000-0x00000000025B6000-memory.dmp
    Filesize

    88KB

  • memory/1612-58-0x0000000000000000-mapping.dmp
  • memory/1612-63-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
    Filesize

    4KB

  • memory/1612-61-0x0000000001000000-0x0000000001001000-memory.dmp
    Filesize

    4KB

  • memory/1984-54-0x0000000000402FA5-mapping.dmp
  • memory/1984-53-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

  • memory/1984-55-0x0000000075C11000-0x0000000075C13000-memory.dmp
    Filesize

    8KB

  • memory/2004-56-0x0000000000220000-0x0000000000229000-memory.dmp
    Filesize

    36KB