Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-11-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
a6bd32415dd70387135c653746de561d.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
a6bd32415dd70387135c653746de561d.exe
Resource
win10-en-20211104
General
-
Target
a6bd32415dd70387135c653746de561d.exe
-
Size
160KB
-
MD5
a6bd32415dd70387135c653746de561d
-
SHA1
ef6a1b2273dd0971d2a80545ec51c9bde62534fc
-
SHA256
7fa06e224553a98519e582365308daad4a4c4dab5f3d51bd2c87bf5df1ff76de
-
SHA512
db9a28487a02b5bd010c90ab31a7e5790d2b70f9754a1bb0979dbaa4fa3ee24592eab7ac2f47723fbd9b353dca5ac42335c39e6ff0c6703613ae2be76a34ec56
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
185.159.80.90:38637
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/992-79-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/992-80-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/992-81-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/992-82-0x0000000000418EEA-mapping.dmp family_redline behavioral1/memory/992-84-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-112-0x0000000000240000-0x0000000000261000-memory.dmp family_arkei behavioral1/memory/1576-113-0x0000000000400000-0x000000000043B000-memory.dmp family_arkei -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
C081.exeC081.exeD79B.exeD79B.exeEE38.exeC24.exe1633.exe2E75.exepid process 1764 C081.exe 1048 C081.exe 1792 D79B.exe 992 D79B.exe 1264 EE38.exe 1516 C24.exe 1856 1633.exe 1576 2E75.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1633.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1633.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1633.exe -
Deletes itself 1 IoCs
Processes:
pid process 1272 -
Loads dropped DLL 2 IoCs
Processes:
C081.exeD79B.exepid process 1764 C081.exe 1792 D79B.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1633.exe themida behavioral1/memory/1856-100-0x0000000001280000-0x0000000001281000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
1633.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1633.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1633.exepid process 1856 1633.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a6bd32415dd70387135c653746de561d.exeC081.exeD79B.exedescription pid process target process PID 892 set thread context of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 1764 set thread context of 1048 1764 C081.exe C081.exe PID 1792 set thread context of 992 1792 D79B.exe D79B.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a6bd32415dd70387135c653746de561d.exeC081.exeC24.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a6bd32415dd70387135c653746de561d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a6bd32415dd70387135c653746de561d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C081.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a6bd32415dd70387135c653746de561d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C081.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C081.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C24.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C24.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C24.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a6bd32415dd70387135c653746de561d.exepid process 1028 a6bd32415dd70387135c653746de561d.exe 1028 a6bd32415dd70387135c653746de561d.exe 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1272 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
a6bd32415dd70387135c653746de561d.exeC081.exeC24.exepid process 1028 a6bd32415dd70387135c653746de561d.exe 1048 C081.exe 1516 C24.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
D79B.exedescription pid process Token: SeShutdownPrivilege 1272 Token: SeShutdownPrivilege 1272 Token: SeShutdownPrivilege 1272 Token: SeDebugPrivilege 992 D79B.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1272 1272 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1272 1272 -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
a6bd32415dd70387135c653746de561d.exeC081.exeD79B.exedescription pid process target process PID 892 wrote to memory of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 892 wrote to memory of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 892 wrote to memory of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 892 wrote to memory of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 892 wrote to memory of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 892 wrote to memory of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 892 wrote to memory of 1028 892 a6bd32415dd70387135c653746de561d.exe a6bd32415dd70387135c653746de561d.exe PID 1272 wrote to memory of 1764 1272 C081.exe PID 1272 wrote to memory of 1764 1272 C081.exe PID 1272 wrote to memory of 1764 1272 C081.exe PID 1272 wrote to memory of 1764 1272 C081.exe PID 1764 wrote to memory of 1048 1764 C081.exe C081.exe PID 1764 wrote to memory of 1048 1764 C081.exe C081.exe PID 1764 wrote to memory of 1048 1764 C081.exe C081.exe PID 1764 wrote to memory of 1048 1764 C081.exe C081.exe PID 1764 wrote to memory of 1048 1764 C081.exe C081.exe PID 1764 wrote to memory of 1048 1764 C081.exe C081.exe PID 1764 wrote to memory of 1048 1764 C081.exe C081.exe PID 1272 wrote to memory of 1792 1272 D79B.exe PID 1272 wrote to memory of 1792 1272 D79B.exe PID 1272 wrote to memory of 1792 1272 D79B.exe PID 1272 wrote to memory of 1792 1272 D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1792 wrote to memory of 992 1792 D79B.exe D79B.exe PID 1272 wrote to memory of 1264 1272 EE38.exe PID 1272 wrote to memory of 1264 1272 EE38.exe PID 1272 wrote to memory of 1264 1272 EE38.exe PID 1272 wrote to memory of 1264 1272 EE38.exe PID 1272 wrote to memory of 1516 1272 C24.exe PID 1272 wrote to memory of 1516 1272 C24.exe PID 1272 wrote to memory of 1516 1272 C24.exe PID 1272 wrote to memory of 1516 1272 C24.exe PID 1272 wrote to memory of 1856 1272 1633.exe PID 1272 wrote to memory of 1856 1272 1633.exe PID 1272 wrote to memory of 1856 1272 1633.exe PID 1272 wrote to memory of 1856 1272 1633.exe PID 1272 wrote to memory of 1576 1272 2E75.exe PID 1272 wrote to memory of 1576 1272 2E75.exe PID 1272 wrote to memory of 1576 1272 2E75.exe PID 1272 wrote to memory of 1576 1272 2E75.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6bd32415dd70387135c653746de561d.exe"C:\Users\Admin\AppData\Local\Temp\a6bd32415dd70387135c653746de561d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a6bd32415dd70387135c653746de561d.exe"C:\Users\Admin\AppData\Local\Temp\a6bd32415dd70387135c653746de561d.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C081.exeC:\Users\Admin\AppData\Local\Temp\C081.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C081.exeC:\Users\Admin\AppData\Local\Temp\C081.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D79B.exeC:\Users\Admin\AppData\Local\Temp\D79B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D79B.exeC:\Users\Admin\AppData\Local\Temp\D79B.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EE38.exeC:\Users\Admin\AppData\Local\Temp\EE38.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C24.exeC:\Users\Admin\AppData\Local\Temp\C24.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1633.exeC:\Users\Admin\AppData\Local\Temp\1633.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2E75.exeC:\Users\Admin\AppData\Local\Temp\2E75.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1633.exeMD5
c8d5fdc4a0e45f4ea541aa74ffa7e1f5
SHA11e5fc15f69d2d81e46b52c91b771348fcd15d4ab
SHA256b38413496a5a7dd3c1d596ae8ced753cbe96568b713c4e4570e16285d9c6b3bb
SHA512a1e94c80e2fdcc3d00a65d924758c78ca0ca7056bf9397a8a2fb77cfea4839120550448a0aee41e2bc23afa9cdf64d6671c03db1d1f6e0aa18aa0da31f1183ce
-
C:\Users\Admin\AppData\Local\Temp\2E75.exeMD5
10f34aa269d8cf80ef189cf1a9234d95
SHA15670b0fd72c982e82473b2ff622cadae68c8c82e
SHA25674401949c90e614caa815d43059f0b58d3b549be5cdaeeeb9c98b55b082073d7
SHA5120e1ff8f966d3b278aefd092e7558808f20b8fdc01d8c2fff51f37e74586322cbd11b1b95f308b2c67e563635689a18f862a0f32ced11b801333c9b3f1903d010
-
C:\Users\Admin\AppData\Local\Temp\C081.exeMD5
a6bd32415dd70387135c653746de561d
SHA1ef6a1b2273dd0971d2a80545ec51c9bde62534fc
SHA2567fa06e224553a98519e582365308daad4a4c4dab5f3d51bd2c87bf5df1ff76de
SHA512db9a28487a02b5bd010c90ab31a7e5790d2b70f9754a1bb0979dbaa4fa3ee24592eab7ac2f47723fbd9b353dca5ac42335c39e6ff0c6703613ae2be76a34ec56
-
C:\Users\Admin\AppData\Local\Temp\C081.exeMD5
a6bd32415dd70387135c653746de561d
SHA1ef6a1b2273dd0971d2a80545ec51c9bde62534fc
SHA2567fa06e224553a98519e582365308daad4a4c4dab5f3d51bd2c87bf5df1ff76de
SHA512db9a28487a02b5bd010c90ab31a7e5790d2b70f9754a1bb0979dbaa4fa3ee24592eab7ac2f47723fbd9b353dca5ac42335c39e6ff0c6703613ae2be76a34ec56
-
C:\Users\Admin\AppData\Local\Temp\C081.exeMD5
a6bd32415dd70387135c653746de561d
SHA1ef6a1b2273dd0971d2a80545ec51c9bde62534fc
SHA2567fa06e224553a98519e582365308daad4a4c4dab5f3d51bd2c87bf5df1ff76de
SHA512db9a28487a02b5bd010c90ab31a7e5790d2b70f9754a1bb0979dbaa4fa3ee24592eab7ac2f47723fbd9b353dca5ac42335c39e6ff0c6703613ae2be76a34ec56
-
C:\Users\Admin\AppData\Local\Temp\C24.exeMD5
03651bfa0fa57d86e5a612e0cc81bc09
SHA167738024bea02128f0d7a9939e193dc706bcd0d8
SHA25648183fd297159559ea5ca3f626bf6ade7bdbaeefec816116a30da7969642ce6b
SHA512b9efdef3230478dc4691034bc7e556c313c536115166e4493f7754755d6ab9515c771f51620a5bf5c21bf19b42eb77d95bd040b0f1d3205c715cb21175cffbd4
-
C:\Users\Admin\AppData\Local\Temp\D79B.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\D79B.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\D79B.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\EE38.exeMD5
a93ee3be032ac2a200af6f5673ecc492
SHA1a6fb35b4230ae92ae50a2f3a4e7f0ca7341e9f1c
SHA256f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d
SHA512d4796fda3e4de570d77ffb5dd9efa8172647832e3e2e491d12578d19b9f8de6b876b349f827050f1aa6f6121cf0a5558e4cd4e4c920a33f2f46732b1ca99e321
-
\Users\Admin\AppData\Local\Temp\C081.exeMD5
a6bd32415dd70387135c653746de561d
SHA1ef6a1b2273dd0971d2a80545ec51c9bde62534fc
SHA2567fa06e224553a98519e582365308daad4a4c4dab5f3d51bd2c87bf5df1ff76de
SHA512db9a28487a02b5bd010c90ab31a7e5790d2b70f9754a1bb0979dbaa4fa3ee24592eab7ac2f47723fbd9b353dca5ac42335c39e6ff0c6703613ae2be76a34ec56
-
\Users\Admin\AppData\Local\Temp\D79B.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
memory/892-58-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/892-59-0x00000000001D0000-0x00000000001D9000-memory.dmpFilesize
36KB
-
memory/992-77-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/992-89-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/992-84-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/992-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/992-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/992-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/992-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/992-82-0x0000000000418EEA-mapping.dmp
-
memory/1028-57-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1028-56-0x0000000000402DD8-mapping.dmp
-
memory/1028-55-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1048-66-0x0000000000402DD8-mapping.dmp
-
memory/1264-91-0x0000000000320000-0x00000000003AF000-memory.dmpFilesize
572KB
-
memory/1264-86-0x0000000000000000-mapping.dmp
-
memory/1264-90-0x0000000000220000-0x000000000026F000-memory.dmpFilesize
316KB
-
memory/1264-92-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1272-60-0x0000000002A50000-0x0000000002A66000-memory.dmpFilesize
88KB
-
memory/1272-74-0x0000000003A40000-0x0000000003A56000-memory.dmpFilesize
88KB
-
memory/1272-109-0x00000000045B0000-0x00000000045C6000-memory.dmpFilesize
88KB
-
memory/1516-93-0x0000000000000000-mapping.dmp
-
memory/1516-102-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1516-105-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1516-106-0x0000000000400000-0x0000000001085000-memory.dmpFilesize
12.5MB
-
memory/1576-112-0x0000000000240000-0x0000000000261000-memory.dmpFilesize
132KB
-
memory/1576-111-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1576-113-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/1576-107-0x0000000000000000-mapping.dmp
-
memory/1764-61-0x0000000000000000-mapping.dmp
-
memory/1792-75-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/1792-72-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/1792-69-0x0000000000000000-mapping.dmp
-
memory/1856-104-0x00000000011B0000-0x00000000011B1000-memory.dmpFilesize
4KB
-
memory/1856-100-0x0000000001280000-0x0000000001281000-memory.dmpFilesize
4KB
-
memory/1856-95-0x0000000000000000-mapping.dmp