Overview
overview
10Static
static
c8c2f5565b...24.exe
windows7_x64
10c8c2f5565b...24.exe
windows7_x64
10c8c2f5565b...24.exe
windows7_x64
10c8c2f5565b...24.exe
windows11_x64
10c8c2f5565b...24.exe
windows10_x64
10c8c2f5565b...24.exe
windows10_x64
10c8c2f5565b...24.exe
windows10_x64
10c8c2f5565b...24.exe
windows10_x64
10Analysis
-
max time kernel
602s -
max time network
445s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:45
Static task
static1
Behavioral task
behavioral1
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win7-ja-20210920
arkeichinese_generic_botnetraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blissinstallszxckarmaz0rm1onbuildbackdoorbotnetdiscoveryevasioninfostealerspywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win7v20210408
arkeichinese_generic_botnetraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blissinstallszxckarmaz0rm1onbuildbackdoorbotnetdiscoveryevasioninfostealerspywarestealersuricatathemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win7-de-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win11
arkeiraccoonredlinesmokeloaderb2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7installszxcz0rm1onbuildbackdoordiscoveryevasioninfostealerspywarestealersuricatathemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10v20210408
arkeichinese_generic_botnetraccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4blisskarmabackdoorbotnetdiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10-ja-20210920
redlinesmokeloaderinstallszxcz0rm1onbuildbackdoordiscoveryinfostealerpersistencespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10-en-20210920
redlinesmokeloaderinstallszxcz0rm1onbuildbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10-de-20210920
raccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7f6d7183c9e82d2a9b81e6c0608450aa66cefb51finstallszxcz0rm1onbuildbackdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
-
Size
139KB
-
MD5
3e201fc20a90e669990e2994d2114b83
-
SHA1
24bfc9636c793e7ceb309b08e319b2d925a080bd
-
SHA256
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24
-
SHA512
4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
installszxc
C2
138.124.186.2:27999
Extracted
Family
redline
Botnet
z0rm1onbuild
C2
45.156.21.209:56326
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral7/files/0x000500000001aba9-165.dat family_redline behavioral7/memory/3872-166-0x0000000000D40000-0x0000000000D5E000-memory.dmp family_redline behavioral7/files/0x000500000001aba9-167.dat family_redline behavioral7/memory/3996-175-0x0000000004D00000-0x0000000005306000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 3500 476.exe 3568 476.exe 508 A09D.exe 3592 jhufgts 3880 jhufgts 2372 4546.exe 3872 49EA.exe 3996 Stub.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A09D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A09D.exe -
Deletes itself 1 IoCs
pid Process 3036 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral7/files/0x0008000000000689-127.dat themida behavioral7/files/0x0008000000000689-128.dat themida behavioral7/memory/508-131-0x0000000000F70000-0x0000000000F71000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A09D.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 508 A09D.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2492 set thread context of 2676 2492 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 70 PID 3500 set thread context of 3568 3500 476.exe 72 PID 3592 set thread context of 3880 3592 jhufgts 79 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 476.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jhufgts Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 476.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 476.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jhufgts Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jhufgts -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 2676 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3036 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2676 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 3568 476.exe 3880 jhufgts -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeDebugPrivilege 508 A09D.exe Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeDebugPrivilege 2372 4546.exe Token: SeDebugPrivilege 3872 49EA.exe Token: 33 3872 49EA.exe Token: SeIncBasePriorityPrivilege 3872 49EA.exe Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeDebugPrivilege 3996 Stub.exe Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2676 2492 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 70 PID 2492 wrote to memory of 2676 2492 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 70 PID 2492 wrote to memory of 2676 2492 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 70 PID 2492 wrote to memory of 2676 2492 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 70 PID 2492 wrote to memory of 2676 2492 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 70 PID 2492 wrote to memory of 2676 2492 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 70 PID 3036 wrote to memory of 3500 3036 Process not Found 71 PID 3036 wrote to memory of 3500 3036 Process not Found 71 PID 3036 wrote to memory of 3500 3036 Process not Found 71 PID 3500 wrote to memory of 3568 3500 476.exe 72 PID 3500 wrote to memory of 3568 3500 476.exe 72 PID 3500 wrote to memory of 3568 3500 476.exe 72 PID 3500 wrote to memory of 3568 3500 476.exe 72 PID 3500 wrote to memory of 3568 3500 476.exe 72 PID 3500 wrote to memory of 3568 3500 476.exe 72 PID 3036 wrote to memory of 508 3036 Process not Found 75 PID 3036 wrote to memory of 508 3036 Process not Found 75 PID 3036 wrote to memory of 508 3036 Process not Found 75 PID 3592 wrote to memory of 3880 3592 jhufgts 79 PID 3592 wrote to memory of 3880 3592 jhufgts 79 PID 3592 wrote to memory of 3880 3592 jhufgts 79 PID 3592 wrote to memory of 3880 3592 jhufgts 79 PID 3592 wrote to memory of 3880 3592 jhufgts 79 PID 3592 wrote to memory of 3880 3592 jhufgts 79 PID 3036 wrote to memory of 2372 3036 Process not Found 80 PID 3036 wrote to memory of 2372 3036 Process not Found 80 PID 3036 wrote to memory of 2372 3036 Process not Found 80 PID 3036 wrote to memory of 3872 3036 Process not Found 81 PID 3036 wrote to memory of 3872 3036 Process not Found 81 PID 2372 wrote to memory of 3996 2372 4546.exe 82 PID 2372 wrote to memory of 3996 2372 4546.exe 82 PID 2372 wrote to memory of 3996 2372 4546.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\476.exeC:\Users\Admin\AppData\Local\Temp\476.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\476.exeC:\Users\Admin\AppData\Local\Temp\476.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\A09D.exeC:\Users\Admin\AppData\Local\Temp\A09D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:508
-
C:\Users\Admin\AppData\Roaming\jhufgtsC:\Users\Admin\AppData\Roaming\jhufgts1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Roaming\jhufgtsC:\Users\Admin\AppData\Roaming\jhufgts2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\4546.exeC:\Users\Admin\AppData\Local\Temp\4546.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\ProgramData\Stub.exe"C:\ProgramData\Stub.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\49EA.exeC:\Users\Admin\AppData\Local\Temp\49EA.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872