Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
12-10-2021 10:40
General
-
Target
00fd83e40d8d72a43cacf66dccb74ac3667718e3de33dce519714ee2bede3668.exe
-
Size
175KB
-
MD5
8ec7e909ea2aff4d5ebe1cd03a04519c
-
SHA1
68630780cf21e0e319f7419195bbf85b539f8ba3
-
SHA256
00fd83e40d8d72a43cacf66dccb74ac3667718e3de33dce519714ee2bede3668
-
SHA512
e95ba0a810ff0f78a2f9937ced8189314c6abb8ac4767541b680bcb5a6dc199a6a6c9c2c5b9d4498fca37f561410ffbf69d5d6b46f0a337208c33aca77223820
Malware Config
Extracted
smokeloader
2020
http://linavanandr11.club/
http://iselaharty12.club/
http://giovaninardo13.club/
http://zayneliann14.club/
http://zorinosali15.club/
Extracted
raccoon
1.8.2
fbe5e97e7d069407605ee9138022aa82166657e6
-
url4cnc
http://telemirror.top/stevuitreen
http://tgmirror.top/stevuitreen
http://telegatt.top/stevuitreen
http://telegka.top/stevuitreen
http://telegin.top/stevuitreen
https://t.me/stevuitreen
Extracted
vidar
41.3
1033
https://mas.to/@oleg98
-
profile_id
1033
Extracted
redline
159
190.2.136.29:3279
Extracted
redline
w1
109.234.34.165:12323
Extracted
raccoon
1.8.2
8d179b9e611eee525425544ee8c6d77360ab7cd9
-
url4cnc
http://teletop.top/agrybirdsgamerept
http://teleta.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Extracted
redline
MegaProliv
93.115.20.139:28978
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Arkei Stealer Payload 4 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00fd83e40d8d72a43cacf66dccb74ac3667718e3de33dce519714ee2bede3668.exe"C:\Users\Admin\AppData\Local\Temp\00fd83e40d8d72a43cacf66dccb74ac3667718e3de33dce519714ee2bede3668.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\00fd83e40d8d72a43cacf66dccb74ac3667718e3de33dce519714ee2bede3668.exe"C:\Users\Admin\AppData\Local\Temp\00fd83e40d8d72a43cacf66dccb74ac3667718e3de33dce519714ee2bede3668.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\6C2.exeC:\Users\Admin\AppData\Local\Temp\6C2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6C2.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\BD4.exeC:\Users\Admin\AppData\Local\Temp\BD4.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im BD4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\BD4.exe" & del C:\ProgramData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im BD4.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\1B08.exeC:\Users\Admin\AppData\Local\Temp\1B08.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 13082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2123.exeC:\Users\Admin\AppData\Local\Temp\2123.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\320C.exeC:\Users\Admin\AppData\Local\Temp\320C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\39ED.exeC:\Users\Admin\AppData\Local\Temp\39ED.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4393.exeC:\Users\Admin\AppData\Local\Temp\4393.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\51EC.exeC:\Users\Admin\AppData\Local\Temp\51EC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0c5wtme4\0c5wtme4.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB216.tmp" "c:\Users\Admin\AppData\Local\Temp\0c5wtme4\CSC2E024E78E9B14F14AA76194EC7169A12.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\5CDA.exeC:\Users\Admin\AppData\Local\Temp\5CDA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5CDA.exeC:\Users\Admin\AppData\Local\Temp\5CDA.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5CDA.exeC:\Users\Admin\AppData\Local\Temp\5CDA.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5CDA.exeC:\Users\Admin\AppData\Local\Temp\5CDA.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
1.6MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
580KB
-
Filesize
568KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
19.2MB
-
Filesize
500KB
-
Filesize
568KB
-
Filesize
19.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4.0MB