Overview
overview
10Static
static
3dd4ba94c5...68.exe
windows7_x64
103dd4ba94c5...68.exe
windows7_x64
103dd4ba94c5...68.exe
windows7_x64
103dd4ba94c5...68.exe
windows11_x64
103dd4ba94c5...68.exe
windows10_x64
103dd4ba94c5...68.exe
windows10_x64
103dd4ba94c5...68.exe
windows10_x64
103dd4ba94c5...68.exe
windows10_x64
10Analysis
-
max time kernel
1802s -
max time network
1592s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:45
Static task
static1
Behavioral task
behavioral1
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win7-ja-20210920
arkeichinese_generic_botnetraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blissinstallszxckarmaz0rm1onbuildbackdoorbotnetdiscoveryevasioninfostealerspywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win7v20210408
arkeichinese_generic_botnetraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blissinstallszxckarmaz0rm1onbuildbackdoorbotnetdiscoveryevasioninfostealerspywarestealersuricatathemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win7-de-20210920
arkeichinese_generic_botnetraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blissinstallszxckarmaz0rm1onbuildbackdoorbotnetdiscoveryevasioninfostealerspywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win11
arkeiraccoonredlinesmokeloaderinstallszxcz0rm1onbuildbackdoordiscoveryevasioninfostealerspywarestealersuricatathemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win10v20210408
arkeichinese_generic_botnetraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blisskarmabackdoorbotnetdiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win10-ja-20210920
arkeiraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7f6d7183c9e82d2a9b81e6c0608450aa66cefb51finstallszxcz0rm1onbuildbackdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
3dd4ba94c558b54ba1fe639566cbc368.exe
Resource
win10-de-20210920
arkeiraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7f6d7183c9e82d2a9b81e6c0608450aa66cefb51finstallszxcz0rm1onbuildbackdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
3dd4ba94c558b54ba1fe639566cbc368.exe
-
Size
237KB
-
MD5
3dd4ba94c558b54ba1fe639566cbc368
-
SHA1
8c44f1c918c3d2fd48694e8af653e473be3e02c1
-
SHA256
c75b223b462ba88c62c1c8d848a845e7aeacc0ec0c96a7ecf1644e782accdd52
-
SHA512
58e828507bd3be52ea340ed835c3dc06a655db0a067c746ef65e7382d2b09eb5e7d6847dc679b89539826b598749e60ddf62859e25930b8e586acc11228bb1fa
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 1 IoCs
resource yara_rule behavioral7/memory/4080-144-0x0000000000400000-0x000000000044D000-memory.dmp family_arkei -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 2672 160A.exe 4080 1337.exe 2144 sfaudft 2256 sfaudft 2696 sfaudft 3132 sfaudft 1284 sfaudft 1044 sfaudft -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 160A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 160A.exe -
Deletes itself 1 IoCs
pid Process 3028 Process not Found -
Loads dropped DLL 3 IoCs
pid Process 4080 1337.exe 4080 1337.exe 4080 1337.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral7/files/0x000500000001abbb-120.dat themida behavioral7/memory/2672-123-0x0000000000C70000-0x0000000000C71000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 160A.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2672 160A.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2060 set thread context of 2248 2060 3dd4ba94c558b54ba1fe639566cbc368.exe 70 PID 2144 set thread context of 2256 2144 sfaudft 80 PID 2696 set thread context of 3132 2696 sfaudft 82 PID 1284 set thread context of 1044 1284 sfaudft 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 1676 4080 WerFault.exe 76 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dd4ba94c558b54ba1fe639566cbc368.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dd4ba94c558b54ba1fe639566cbc368.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dd4ba94c558b54ba1fe639566cbc368.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfaudft -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2248 3dd4ba94c558b54ba1fe639566cbc368.exe 2248 3dd4ba94c558b54ba1fe639566cbc368.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3028 Process not Found -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2248 3dd4ba94c558b54ba1fe639566cbc368.exe 2256 sfaudft 3132 sfaudft 1044 sfaudft -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeDebugPrivilege 2672 160A.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeRestorePrivilege 1676 WerFault.exe Token: SeBackupPrivilege 1676 WerFault.exe Token: SeDebugPrivilege 1676 WerFault.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2248 2060 3dd4ba94c558b54ba1fe639566cbc368.exe 70 PID 2060 wrote to memory of 2248 2060 3dd4ba94c558b54ba1fe639566cbc368.exe 70 PID 2060 wrote to memory of 2248 2060 3dd4ba94c558b54ba1fe639566cbc368.exe 70 PID 2060 wrote to memory of 2248 2060 3dd4ba94c558b54ba1fe639566cbc368.exe 70 PID 2060 wrote to memory of 2248 2060 3dd4ba94c558b54ba1fe639566cbc368.exe 70 PID 2060 wrote to memory of 2248 2060 3dd4ba94c558b54ba1fe639566cbc368.exe 70 PID 3028 wrote to memory of 2672 3028 Process not Found 71 PID 3028 wrote to memory of 2672 3028 Process not Found 71 PID 3028 wrote to memory of 2672 3028 Process not Found 71 PID 3028 wrote to memory of 4080 3028 Process not Found 76 PID 3028 wrote to memory of 4080 3028 Process not Found 76 PID 3028 wrote to memory of 4080 3028 Process not Found 76 PID 2144 wrote to memory of 2256 2144 sfaudft 80 PID 2144 wrote to memory of 2256 2144 sfaudft 80 PID 2144 wrote to memory of 2256 2144 sfaudft 80 PID 2144 wrote to memory of 2256 2144 sfaudft 80 PID 2144 wrote to memory of 2256 2144 sfaudft 80 PID 2144 wrote to memory of 2256 2144 sfaudft 80 PID 2696 wrote to memory of 3132 2696 sfaudft 82 PID 2696 wrote to memory of 3132 2696 sfaudft 82 PID 2696 wrote to memory of 3132 2696 sfaudft 82 PID 2696 wrote to memory of 3132 2696 sfaudft 82 PID 2696 wrote to memory of 3132 2696 sfaudft 82 PID 2696 wrote to memory of 3132 2696 sfaudft 82 PID 1284 wrote to memory of 1044 1284 sfaudft 84 PID 1284 wrote to memory of 1044 1284 sfaudft 84 PID 1284 wrote to memory of 1044 1284 sfaudft 84 PID 1284 wrote to memory of 1044 1284 sfaudft 84 PID 1284 wrote to memory of 1044 1284 sfaudft 84 PID 1284 wrote to memory of 1044 1284 sfaudft 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe"C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe"C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\160A.exeC:\Users\Admin\AppData\Local\Temp\160A.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Users\Admin\AppData\Local\Temp\1337.exeC:\Users\Admin\AppData\Local\Temp\1337.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 13242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Users\Admin\AppData\Roaming\sfaudftC:\Users\Admin\AppData\Roaming\sfaudft1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Roaming\sfaudftC:\Users\Admin\AppData\Roaming\sfaudft2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2256
-
-
C:\Users\Admin\AppData\Roaming\sfaudftC:\Users\Admin\AppData\Roaming\sfaudft1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\sfaudftC:\Users\Admin\AppData\Roaming\sfaudft2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3132
-
-
C:\Users\Admin\AppData\Roaming\sfaudftC:\Users\Admin\AppData\Roaming\sfaudft1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Roaming\sfaudftC:\Users\Admin\AppData\Roaming\sfaudft2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1044
-