Overview

overview

10

Static

static

6c30290bed...f9.exe

windows7_x64

10

6c30290bed...f9.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    07-10-2021 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c30290bedf555aab7b65c58923776f9.exe

  • Size

    229KB

  • MD5

    6c30290bedf555aab7b65c58923776f9

  • SHA1

    c75e3a5a276b7b01b8f232e6dcbc2e230f317f10

  • SHA256

    088524a1bb8efd9ffe5f7f9e7ee536fa38c277a3309c8d4c52f2e9897b7190b3

  • SHA512

    76d13be079c92b2bb32eca16ec94848fa46fca8de51ab7e9aeb2b9fdf50ed1e4e9e6db94ab0177dbba5f70bcbb707db4440d623a92c4ec8bc3c44a196e368635

Score
10/10
raccoonredlinesmokeloadervidar2ea41939378a473cbe7002fd507389778c0f10e78008d179b9e611eee525425544ee8c6d77360ab7cd9backdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

2ea41939378a473cbe7002fd507389778c0f10e7

Attributes
  • url4cnc

    http://teletop.top/stevuitreen

    http://teleta.top/stevuitreen

    https://t.me/stevuitreen

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

800

C2

87.251.71.44:80

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes
  • url4cnc

    http://teletop.top/agrybirdsgamerept

    http://teleta.top/agrybirdsgamerept

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 3 IoCs
    stealer
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c30290bedf555aab7b65c58923776f9.exe
    "C:\Users\Admin\AppData\Local\Temp\6c30290bedf555aab7b65c58923776f9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\AppData\Local\Temp\6c30290bedf555aab7b65c58923776f9.exe
      "C:\Users\Admin\AppData\Local\Temp\6c30290bedf555aab7b65c58923776f9.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:500
  • C:\Users\Admin\AppData\Local\Temp\A36F.exe
    C:\Users\Admin\AppData\Local\Temp\A36F.exe
    1⤵
    • Executes dropped EXE
    PID:3956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 916
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:1660
  • C:\Users\Admin\AppData\Local\Temp\A6DB.exe
    C:\Users\Admin\AppData\Local\Temp\A6DB.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3272
  • C:\Users\Admin\AppData\Local\Temp\ADD1.exe
    C:\Users\Admin\AppData\Local\Temp\ADD1.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im ADD1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ADD1.exe" & del C:\ProgramData\*.dll & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3788
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ADD1.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3844
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 6
        3⤵
        • Delays execution with timeout.exe
        PID:496
  • C:\Users\Admin\AppData\Local\Temp\B832.exe
    C:\Users\Admin\AppData\Local\Temp\B832.exe
    1⤵
    • Executes dropped EXE
    PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\freebl3.dll
    MD5

    ef2834ac4ee7d6724f255beaf527e635

    SHA1

    5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

    SHA256

    a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

    SHA512

    c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

    Download Submit
  • C:\ProgramData\mozglue.dll
    MD5

    8f73c08a9660691143661bf7332c3c27

    SHA1

    37fa65dd737c50fda710fdbde89e51374d0c204a

    SHA256

    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

    SHA512

    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

    Download Submit
  • C:\ProgramData\msvcp140.dll
    MD5

    109f0f02fd37c84bfc7508d4227d7ed5

    SHA1

    ef7420141bb15ac334d3964082361a460bfdb975

    SHA256

    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

    SHA512

    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

    Download Submit
  • C:\ProgramData\nss3.dll
    MD5

    bfac4e3c5908856ba17d41edcd455a51

    SHA1

    8eec7e888767aa9e4cca8ff246eb2aacb9170428

    SHA256

    e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

    SHA512

    2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

    Download Submit
  • C:\ProgramData\softokn3.dll
    MD5

    a2ee53de9167bf0d6c019303b7ca84e5

    SHA1

    2a3c737fa1157e8483815e98b666408a18c0db42

    SHA256

    43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

    SHA512

    45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

    Download Submit
  • C:\ProgramData\vcruntime140.dll
    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\A36F.exe
    MD5

    0c90e036a37a8f57b80fee2953820891

    SHA1

    8c964a6de0faac43f90f55309bf315c9708f4140

    SHA256

    89b6a716517b20532f1ca19f527478433e699f2ab53e6a2f6b6e81843136dcde

    SHA512

    756883cf25e3627f180c70fbdfaf9a43917d060d12ef526dd487178909dc624844071ba9d7eb223feed5f34075f6939704d9c45c70a6e0660dc9ed9222055176

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\A36F.exe
    MD5

    0c90e036a37a8f57b80fee2953820891

    SHA1

    8c964a6de0faac43f90f55309bf315c9708f4140

    SHA256

    89b6a716517b20532f1ca19f527478433e699f2ab53e6a2f6b6e81843136dcde

    SHA512

    756883cf25e3627f180c70fbdfaf9a43917d060d12ef526dd487178909dc624844071ba9d7eb223feed5f34075f6939704d9c45c70a6e0660dc9ed9222055176

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\A6DB.exe
    MD5

    01d1d18a42915c87fb8bae3040e755a5

    SHA1

    f5704e111af545d3eae870070dbdd8579594dc08

    SHA256

    d849e31cebfb34afaf8ab4477150264c76316be3f50d28bb2949d9039f8dba9a

    SHA512

    a4e5e77c594649e8a0644e4fbd629eec31ba776115f4738ad1fa3dbc45ed393dc20345d099518165707d56f20cd9ff2f2f810802bdd0b011780fb8c9e05b9aae

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\A6DB.exe
    MD5

    01d1d18a42915c87fb8bae3040e755a5

    SHA1

    f5704e111af545d3eae870070dbdd8579594dc08

    SHA256

    d849e31cebfb34afaf8ab4477150264c76316be3f50d28bb2949d9039f8dba9a

    SHA512

    a4e5e77c594649e8a0644e4fbd629eec31ba776115f4738ad1fa3dbc45ed393dc20345d099518165707d56f20cd9ff2f2f810802bdd0b011780fb8c9e05b9aae

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ADD1.exe
    MD5

    27d1197680a631b6fb5c5008ec3c5d36

    SHA1

    cc64f4e0e5f679a00daae593c1f0a6c0662012f6

    SHA256

    d47be54e6dd8095583ee626ebda0cc27211e14f2826b63c557880cb4c09cf732

    SHA512

    52988617c1d399cfef1cc432838f1f7f68c47803f94468661fc2e8d825281d514ab0529a1d1c97d957780813b8e989ca2ac466d3e30562df69be9b0e95ef871a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ADD1.exe
    MD5

    27d1197680a631b6fb5c5008ec3c5d36

    SHA1

    cc64f4e0e5f679a00daae593c1f0a6c0662012f6

    SHA256

    d47be54e6dd8095583ee626ebda0cc27211e14f2826b63c557880cb4c09cf732

    SHA512

    52988617c1d399cfef1cc432838f1f7f68c47803f94468661fc2e8d825281d514ab0529a1d1c97d957780813b8e989ca2ac466d3e30562df69be9b0e95ef871a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\B832.exe
    MD5

    83e3ecb0c403ca2af3eb7240f2f8dda4

    SHA1

    b92a390e6e2e55e5f9d902e9dbb6e27e6c75ee1c

    SHA256

    b41cc1b91ac4552c2609c74c19f285b65a6d44aec5a697d236b6e64cdc0ea52b

    SHA512

    6ad3c8bffd8352115d617be9fb3b70aea1153cd228927648d0cdc58e8c239235a2c2c92a853021ba1e557c2bd1452a7c05c7f1e2de4a53099a2ef3ba5155d4f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\B832.exe
    MD5

    83e3ecb0c403ca2af3eb7240f2f8dda4

    SHA1

    b92a390e6e2e55e5f9d902e9dbb6e27e6c75ee1c

    SHA256

    b41cc1b91ac4552c2609c74c19f285b65a6d44aec5a697d236b6e64cdc0ea52b

    SHA512

    6ad3c8bffd8352115d617be9fb3b70aea1153cd228927648d0cdc58e8c239235a2c2c92a853021ba1e557c2bd1452a7c05c7f1e2de4a53099a2ef3ba5155d4f7

    Download Submit
  • \ProgramData\mozglue.dll
    MD5

    8f73c08a9660691143661bf7332c3c27

    SHA1

    37fa65dd737c50fda710fdbde89e51374d0c204a

    SHA256

    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

    SHA512

    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

    Download Submit
  • \ProgramData\nss3.dll
    MD5

    bfac4e3c5908856ba17d41edcd455a51

    SHA1

    8eec7e888767aa9e4cca8ff246eb2aacb9170428

    SHA256

    e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

    SHA512

    2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

    Download Submit
  • memory/496-160-0x0000000000000000-mapping.dmp
    Download
  • memory/500-115-0x0000000000402F18-mapping.dmp
    Download
  • memory/500-114-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/604-143-0x0000000000000000-mapping.dmp
    Download
  • memory/604-148-0x00000000009E0000-0x0000000000B2A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/604-149-0x0000000000400000-0x00000000008A7000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/3004-147-0x0000000000400000-0x00000000004D9000-memory.dmp
    Filesize

    868KB

    Download
  • memory/3004-146-0x00000000007E0000-0x00000000008B6000-memory.dmp
    Filesize

    856KB

    Download
  • memory/3004-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3016-117-0x0000000000FB0000-0x0000000000FC5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/3272-153-0x00000000066D0000-0x00000000066D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-131-0x0000000004A20000-0x0000000004A5C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3272-142-0x0000000004B70000-0x0000000004B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-139-0x0000000004BD4000-0x0000000004BD6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3272-140-0x0000000004BD3000-0x0000000004BD4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-141-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-138-0x0000000004BD2000-0x0000000004BD3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-137-0x00000000056F0000-0x00000000056F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-135-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-134-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/3272-133-0x0000000000550000-0x00000000005AA000-memory.dmp
    Filesize

    360KB

    Download
  • memory/3272-132-0x00000000050E0000-0x00000000050E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-152-0x0000000006500000-0x0000000006501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-136-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-154-0x0000000006D00000-0x0000000006D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-155-0x0000000007060000-0x0000000007061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-156-0x0000000007130000-0x0000000007131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-157-0x0000000007210000-0x0000000007211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-121-0x0000000000000000-mapping.dmp
    Download
  • memory/3272-129-0x00000000023E0000-0x000000000241D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/3272-130-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3272-161-0x0000000007260000-0x0000000007261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-158-0x0000000000000000-mapping.dmp
    Download
  • memory/3844-159-0x0000000000000000-mapping.dmp
    Download
  • memory/3956-128-0x0000000000400000-0x0000000000491000-memory.dmp
    Filesize

    580KB

    Download
  • memory/3956-127-0x00000000006E0000-0x000000000076E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/3956-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4060-116-0x0000000000030000-0x0000000000039000-memory.dmp
    Filesize

    36KB

    Download