Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
14-11-2021 18:53
General
-
Target
981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2.exe
-
Size
220KB
-
MD5
65e7d43b56975e07a8dc0edae15d91de
-
SHA1
63cde69ae14c8c1c4d4c5def1d59e32d30ebff66
-
SHA256
981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2
-
SHA512
c0cc6e0a9cc7d91e3cea5fc65012ae1bacc8dc2d6ea215297b574b26b65ddb10b5efa1bcda652738870d96e70f1f5b5a561a373ba587e2bedf82a38dee65cefa
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
185.159.80.90:38637
Extracted
redline
SuperStar
185.215.113.29:36224
Extracted
raccoon
1.8.3-hotfix
675718a5f2ce6d3cacf6cb04a512f5637eae995f
-
url4cnc
http://91.219.236.27/agrybirdsgamerept
http://5.181.156.92/agrybirdsgamerept
http://91.219.236.207/agrybirdsgamerept
http://185.225.19.18/agrybirdsgamerept
http://91.219.237.227/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2.exe"C:\Users\Admin\AppData\Local\Temp\981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2.exe"C:\Users\Admin\AppData\Local\Temp\981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\684B.exeC:\Users\Admin\AppData\Local\Temp\684B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\684B.exeC:\Users\Admin\AppData\Local\Temp\684B.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6CF0.exeC:\Users\Admin\AppData\Local\Temp\6CF0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6CF0.exeC:\Users\Admin\AppData\Local\Temp\6CF0.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\702D.exeC:\Users\Admin\AppData\Local\Temp\702D.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 4802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\73D7.exeC:\Users\Admin\AppData\Local\Temp\73D7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\73D7.exeC:\Users\Admin\AppData\Local\Temp\73D7.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\78BA.exeC:\Users\Admin\AppData\Local\Temp\78BA.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8425.exeC:\Users\Admin\AppData\Local\Temp\8425.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9B96.exeC:\Users\Admin\AppData\Local\Temp\9B96.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6CF0.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\684B.exeMD5
65e7d43b56975e07a8dc0edae15d91de
SHA163cde69ae14c8c1c4d4c5def1d59e32d30ebff66
SHA256981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2
SHA512c0cc6e0a9cc7d91e3cea5fc65012ae1bacc8dc2d6ea215297b574b26b65ddb10b5efa1bcda652738870d96e70f1f5b5a561a373ba587e2bedf82a38dee65cefa
-
C:\Users\Admin\AppData\Local\Temp\684B.exeMD5
65e7d43b56975e07a8dc0edae15d91de
SHA163cde69ae14c8c1c4d4c5def1d59e32d30ebff66
SHA256981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2
SHA512c0cc6e0a9cc7d91e3cea5fc65012ae1bacc8dc2d6ea215297b574b26b65ddb10b5efa1bcda652738870d96e70f1f5b5a561a373ba587e2bedf82a38dee65cefa
-
C:\Users\Admin\AppData\Local\Temp\684B.exeMD5
65e7d43b56975e07a8dc0edae15d91de
SHA163cde69ae14c8c1c4d4c5def1d59e32d30ebff66
SHA256981c0c86d30d6935574c546d01121805ead7086e350452d07f015084015051d2
SHA512c0cc6e0a9cc7d91e3cea5fc65012ae1bacc8dc2d6ea215297b574b26b65ddb10b5efa1bcda652738870d96e70f1f5b5a561a373ba587e2bedf82a38dee65cefa
-
C:\Users\Admin\AppData\Local\Temp\6CF0.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\6CF0.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\6CF0.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\702D.exeMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
C:\Users\Admin\AppData\Local\Temp\702D.exeMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
C:\Users\Admin\AppData\Local\Temp\73D7.exeMD5
db928710e7fee9178082ea7be812fb95
SHA1d2381c09048a9ed8b21a937cef708d94394bcea3
SHA25666b6c6e9af2be8663f2b53bb56f76506d5cc85a84d8dd280ea7386c90842bb8a
SHA512edc223e23228f8bcfbfa202827455933978a512925b48e2ffead7ddd6c8911a1479ad0639fda107fdfbac963f503fde5a3b507767198b554452514c1472b4a6e
-
C:\Users\Admin\AppData\Local\Temp\73D7.exeMD5
db928710e7fee9178082ea7be812fb95
SHA1d2381c09048a9ed8b21a937cef708d94394bcea3
SHA25666b6c6e9af2be8663f2b53bb56f76506d5cc85a84d8dd280ea7386c90842bb8a
SHA512edc223e23228f8bcfbfa202827455933978a512925b48e2ffead7ddd6c8911a1479ad0639fda107fdfbac963f503fde5a3b507767198b554452514c1472b4a6e
-
C:\Users\Admin\AppData\Local\Temp\73D7.exeMD5
db928710e7fee9178082ea7be812fb95
SHA1d2381c09048a9ed8b21a937cef708d94394bcea3
SHA25666b6c6e9af2be8663f2b53bb56f76506d5cc85a84d8dd280ea7386c90842bb8a
SHA512edc223e23228f8bcfbfa202827455933978a512925b48e2ffead7ddd6c8911a1479ad0639fda107fdfbac963f503fde5a3b507767198b554452514c1472b4a6e
-
C:\Users\Admin\AppData\Local\Temp\78BA.exeMD5
0f9d1f2e3aaad601bb95a039b0aedcfb
SHA1141e7b7b2a4a31b2a7e599b2d2064239fcc66707
SHA256db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5
SHA512b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7
-
C:\Users\Admin\AppData\Local\Temp\78BA.exeMD5
0f9d1f2e3aaad601bb95a039b0aedcfb
SHA1141e7b7b2a4a31b2a7e599b2d2064239fcc66707
SHA256db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5
SHA512b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7
-
C:\Users\Admin\AppData\Local\Temp\8425.exeMD5
28707a111e2d39940a87878f490d8d27
SHA114adb3e80e95ed0d5972297591caa3981d6a3701
SHA2566f22240fb4752071eb6e1a3de7c105d4009f3b0e59a897d363fed97309543107
SHA512892313157ecc8fcf53f0373839a7f18032354166c8f8ff40400bdbccc1b6da40e1b942fc89956b8ca5e22d80f7f8d5c57f2396e2d77b3442f450031b47ba0f1d
-
C:\Users\Admin\AppData\Local\Temp\8425.exeMD5
28707a111e2d39940a87878f490d8d27
SHA114adb3e80e95ed0d5972297591caa3981d6a3701
SHA2566f22240fb4752071eb6e1a3de7c105d4009f3b0e59a897d363fed97309543107
SHA512892313157ecc8fcf53f0373839a7f18032354166c8f8ff40400bdbccc1b6da40e1b942fc89956b8ca5e22d80f7f8d5c57f2396e2d77b3442f450031b47ba0f1d
-
C:\Users\Admin\AppData\Local\Temp\9B96.exeMD5
2b981c5d303d855ff0b7784ea7082860
SHA172638cba4542e5f56f701d9579ba857d1675ee98
SHA2561a320f02f4bb5f3c0464dbf9d3f66939ce25f3683e262dc9326056ab329819cc
SHA51228043fd7c35b0f4f75a36e10da6e5fa868939faf3e223905f15b66fdfdfdf0751c6693ab22cb19917d88ec1f7a4cc33e10401c54554b0434e9a7cae90b8aa9c1
-
memory/372-137-0x0000000000000000-mapping.dmp
-
memory/372-156-0x0000000002060000-0x0000000002082000-memory.dmpFilesize
136KB
-
memory/372-157-0x0000000002090000-0x00000000020C0000-memory.dmpFilesize
192KB
-
memory/608-185-0x0000000002DC6000-0x0000000002E16000-memory.dmpFilesize
320KB
-
memory/608-148-0x0000000000000000-mapping.dmp
-
memory/608-187-0x0000000000400000-0x0000000002B85000-memory.dmpFilesize
39.5MB
-
memory/608-186-0x0000000004850000-0x00000000048DF000-memory.dmpFilesize
572KB
-
memory/1000-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1000-118-0x0000000000402DD8-mapping.dmp
-
memory/1172-172-0x0000000000418EEA-mapping.dmp
-
memory/1172-181-0x0000000004C80000-0x0000000005286000-memory.dmpFilesize
6.0MB
-
memory/1172-208-0x0000000006E90000-0x0000000006E91000-memory.dmpFilesize
4KB
-
memory/1172-198-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/1172-207-0x0000000006790000-0x0000000006791000-memory.dmpFilesize
4KB
-
memory/1172-171-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1172-206-0x0000000005C90000-0x0000000005C91000-memory.dmpFilesize
4KB
-
memory/1176-124-0x0000000000402DD8-mapping.dmp
-
memory/1296-120-0x0000000000000000-mapping.dmp
-
memory/1296-128-0x0000000000570000-0x00000000006BA000-memory.dmpFilesize
1.3MB
-
memory/1296-129-0x0000000000570000-0x00000000006BA000-memory.dmpFilesize
1.3MB
-
memory/1552-116-0x00000000005B0000-0x00000000005B9000-memory.dmpFilesize
36KB
-
memory/1552-115-0x00000000005A0000-0x00000000005A8000-memory.dmpFilesize
32KB
-
memory/1836-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1836-142-0x0000000000440000-0x00000000004EE000-memory.dmpFilesize
696KB
-
memory/1836-141-0x0000000000440000-0x00000000004EE000-memory.dmpFilesize
696KB
-
memory/1836-131-0x0000000000000000-mapping.dmp
-
memory/2016-155-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/2016-160-0x0000000002522000-0x0000000002523000-memory.dmpFilesize
4KB
-
memory/2016-163-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/2016-164-0x00000000026B0000-0x00000000026B1000-memory.dmpFilesize
4KB
-
memory/2016-165-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2016-166-0x0000000002524000-0x0000000002526000-memory.dmpFilesize
8KB
-
memory/2016-145-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2016-146-0x000000000040CD2F-mapping.dmp
-
memory/2016-162-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/2016-151-0x0000000002370000-0x000000000238C000-memory.dmpFilesize
112KB
-
memory/2016-159-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/2016-158-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2016-154-0x00000000024B0000-0x00000000024CB000-memory.dmpFilesize
108KB
-
memory/2016-161-0x0000000002523000-0x0000000002524000-memory.dmpFilesize
4KB
-
memory/2088-136-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/2088-140-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/2088-152-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/2088-144-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2088-134-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2088-126-0x0000000000000000-mapping.dmp
-
memory/2980-193-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/2980-188-0x0000000000000000-mapping.dmp
-
memory/2980-203-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/2980-202-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/2980-217-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/3024-167-0x0000000004080000-0x0000000004096000-memory.dmpFilesize
88KB
-
memory/3024-119-0x00000000007A0000-0x00000000007B6000-memory.dmpFilesize
88KB
-
memory/3744-184-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/3744-183-0x00000000021D0000-0x000000000225F000-memory.dmpFilesize
572KB
-
memory/3744-182-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/3744-168-0x0000000000000000-mapping.dmp