Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
20-11-2021 08:12
Static task
static1
Behavioral task
behavioral1
Sample
9e93213e249415159b0b616a4e1e6504.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
9e93213e249415159b0b616a4e1e6504.exe
Resource
win10-en-20211014
General
-
Target
9e93213e249415159b0b616a4e1e6504.exe
-
Size
280KB
-
MD5
9e93213e249415159b0b616a4e1e6504
-
SHA1
4c5f8fdff30f48b5cd554dd5dfd94bf4f28bf51b
-
SHA256
b1db9a17312d9287f7ca3c6763a7741b758b88481657479a6212aa23c535b48c
-
SHA512
c6b198c776baad337e7473ab2eac778cdfa390eafd502fbf659863fc3cf972ffb685bd924c8ea6383fd6b5ae0f8f5f4b325a2864f8c46450e000c66e05c2dec1
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
185.159.80.90:38637
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1400-79-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1400-80-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1400-81-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1400-82-0x0000000000418EEA-mapping.dmp family_redline behavioral1/memory/1400-84-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
906D.exe906D.exeA758.exeA758.exeEB7A.exepid process 1628 906D.exe 1860 906D.exe 1532 A758.exe 1400 A758.exe 1256 EB7A.exe -
Deletes itself 1 IoCs
Processes:
pid process 1200 -
Loads dropped DLL 2 IoCs
Processes:
906D.exeA758.exepid process 1628 906D.exe 1532 A758.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
9e93213e249415159b0b616a4e1e6504.exe906D.exeA758.exedescription pid process target process PID 1412 set thread context of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1628 set thread context of 1860 1628 906D.exe 906D.exe PID 1532 set thread context of 1400 1532 A758.exe A758.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9e93213e249415159b0b616a4e1e6504.exe906D.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9e93213e249415159b0b616a4e1e6504.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9e93213e249415159b0b616a4e1e6504.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9e93213e249415159b0b616a4e1e6504.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 906D.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 906D.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 906D.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9e93213e249415159b0b616a4e1e6504.exepid process 856 9e93213e249415159b0b616a4e1e6504.exe 856 9e93213e249415159b0b616a4e1e6504.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1200 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
9e93213e249415159b0b616a4e1e6504.exe906D.exepid process 856 9e93213e249415159b0b616a4e1e6504.exe 1860 906D.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
A758.exedescription pid process Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeDebugPrivilege 1400 A758.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1200 1200 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1200 1200 -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
9e93213e249415159b0b616a4e1e6504.exe906D.exeA758.exedescription pid process target process PID 1412 wrote to memory of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1412 wrote to memory of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1412 wrote to memory of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1412 wrote to memory of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1412 wrote to memory of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1412 wrote to memory of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1412 wrote to memory of 856 1412 9e93213e249415159b0b616a4e1e6504.exe 9e93213e249415159b0b616a4e1e6504.exe PID 1200 wrote to memory of 1628 1200 906D.exe PID 1200 wrote to memory of 1628 1200 906D.exe PID 1200 wrote to memory of 1628 1200 906D.exe PID 1200 wrote to memory of 1628 1200 906D.exe PID 1628 wrote to memory of 1860 1628 906D.exe 906D.exe PID 1628 wrote to memory of 1860 1628 906D.exe 906D.exe PID 1628 wrote to memory of 1860 1628 906D.exe 906D.exe PID 1628 wrote to memory of 1860 1628 906D.exe 906D.exe PID 1628 wrote to memory of 1860 1628 906D.exe 906D.exe PID 1628 wrote to memory of 1860 1628 906D.exe 906D.exe PID 1628 wrote to memory of 1860 1628 906D.exe 906D.exe PID 1200 wrote to memory of 1532 1200 A758.exe PID 1200 wrote to memory of 1532 1200 A758.exe PID 1200 wrote to memory of 1532 1200 A758.exe PID 1200 wrote to memory of 1532 1200 A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1532 wrote to memory of 1400 1532 A758.exe A758.exe PID 1200 wrote to memory of 1256 1200 EB7A.exe PID 1200 wrote to memory of 1256 1200 EB7A.exe PID 1200 wrote to memory of 1256 1200 EB7A.exe PID 1200 wrote to memory of 1256 1200 EB7A.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e93213e249415159b0b616a4e1e6504.exe"C:\Users\Admin\AppData\Local\Temp\9e93213e249415159b0b616a4e1e6504.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9e93213e249415159b0b616a4e1e6504.exe"C:\Users\Admin\AppData\Local\Temp\9e93213e249415159b0b616a4e1e6504.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\906D.exeC:\Users\Admin\AppData\Local\Temp\906D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\906D.exeC:\Users\Admin\AppData\Local\Temp\906D.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A758.exeC:\Users\Admin\AppData\Local\Temp\A758.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\A758.exeC:\Users\Admin\AppData\Local\Temp\A758.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EB7A.exeC:\Users\Admin\AppData\Local\Temp\EB7A.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\906D.exeMD5
9e93213e249415159b0b616a4e1e6504
SHA14c5f8fdff30f48b5cd554dd5dfd94bf4f28bf51b
SHA256b1db9a17312d9287f7ca3c6763a7741b758b88481657479a6212aa23c535b48c
SHA512c6b198c776baad337e7473ab2eac778cdfa390eafd502fbf659863fc3cf972ffb685bd924c8ea6383fd6b5ae0f8f5f4b325a2864f8c46450e000c66e05c2dec1
-
C:\Users\Admin\AppData\Local\Temp\906D.exeMD5
9e93213e249415159b0b616a4e1e6504
SHA14c5f8fdff30f48b5cd554dd5dfd94bf4f28bf51b
SHA256b1db9a17312d9287f7ca3c6763a7741b758b88481657479a6212aa23c535b48c
SHA512c6b198c776baad337e7473ab2eac778cdfa390eafd502fbf659863fc3cf972ffb685bd924c8ea6383fd6b5ae0f8f5f4b325a2864f8c46450e000c66e05c2dec1
-
C:\Users\Admin\AppData\Local\Temp\906D.exeMD5
9e93213e249415159b0b616a4e1e6504
SHA14c5f8fdff30f48b5cd554dd5dfd94bf4f28bf51b
SHA256b1db9a17312d9287f7ca3c6763a7741b758b88481657479a6212aa23c535b48c
SHA512c6b198c776baad337e7473ab2eac778cdfa390eafd502fbf659863fc3cf972ffb685bd924c8ea6383fd6b5ae0f8f5f4b325a2864f8c46450e000c66e05c2dec1
-
C:\Users\Admin\AppData\Local\Temp\A758.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\A758.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\A758.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\EB7A.exeMD5
a93ee3be032ac2a200af6f5673ecc492
SHA1a6fb35b4230ae92ae50a2f3a4e7f0ca7341e9f1c
SHA256f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d
SHA512d4796fda3e4de570d77ffb5dd9efa8172647832e3e2e491d12578d19b9f8de6b876b349f827050f1aa6f6121cf0a5558e4cd4e4c920a33f2f46732b1ca99e321
-
\Users\Admin\AppData\Local\Temp\906D.exeMD5
9e93213e249415159b0b616a4e1e6504
SHA14c5f8fdff30f48b5cd554dd5dfd94bf4f28bf51b
SHA256b1db9a17312d9287f7ca3c6763a7741b758b88481657479a6212aa23c535b48c
SHA512c6b198c776baad337e7473ab2eac778cdfa390eafd502fbf659863fc3cf972ffb685bd924c8ea6383fd6b5ae0f8f5f4b325a2864f8c46450e000c66e05c2dec1
-
\Users\Admin\AppData\Local\Temp\A758.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
memory/856-58-0x0000000076171000-0x0000000076173000-memory.dmpFilesize
8KB
-
memory/856-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/856-57-0x0000000000402DD8-mapping.dmp
-
memory/1200-87-0x0000000003DA0000-0x0000000003DB6000-memory.dmpFilesize
88KB
-
memory/1200-60-0x0000000002210000-0x0000000002226000-memory.dmpFilesize
88KB
-
memory/1256-92-0x00000000002C0000-0x000000000034F000-memory.dmpFilesize
572KB
-
memory/1256-91-0x0000000000220000-0x000000000026F000-memory.dmpFilesize
316KB
-
memory/1256-88-0x0000000000000000-mapping.dmp
-
memory/1256-93-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1400-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1400-77-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1400-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1400-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1400-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1400-82-0x0000000000418EEA-mapping.dmp
-
memory/1400-84-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1400-86-0x00000000045F0000-0x00000000045F1000-memory.dmpFilesize
4KB
-
memory/1412-59-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1412-55-0x0000000002C8B000-0x0000000002C9C000-memory.dmpFilesize
68KB
-
memory/1532-73-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1532-76-0x0000000001D40000-0x0000000001D41000-memory.dmpFilesize
4KB
-
memory/1532-70-0x0000000000000000-mapping.dmp
-
memory/1628-63-0x00000000002CB000-0x00000000002DC000-memory.dmpFilesize
68KB
-
memory/1628-61-0x0000000000000000-mapping.dmp
-
memory/1860-67-0x0000000000402DD8-mapping.dmp