Overview

overview

10

Static

static

8dda40a556...e3.exe

windows7_x64

10

8dda40a556...e3.exe

windows10_x64

10

Resubmissions

25-11-2021 11:52

211125-n16m3afadk 10

11-11-2021 08:48

211111-kqjtrsbaa9 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-11-2021 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dda40a5568292661c1157e6edf3454e9fbf6d2215085b2ac39731276f1e83e3.exe

  • Size

    336KB

  • MD5

    38cbd9820e8528708c24ea761f0de8fe

  • SHA1

    17238afe79a445baf45cb5395a7a192b20beab01

  • SHA256

    8dda40a5568292661c1157e6edf3454e9fbf6d2215085b2ac39731276f1e83e3

  • SHA512

    c5342a02d6dd9719ebdf7399163efd6d8aec683e85397ac422ace0baa42a1ff04ce60c080f2068eee4fc7fea35aed998e037c63030bf208c05d5043c9767eb29

Score
10/10
redlinesmokeloadertofseebackdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nalirou70.top/

http://xacokuo80.top/
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38655

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dda40a5568292661c1157e6edf3454e9fbf6d2215085b2ac39731276f1e83e3.exe
    "C:\Users\Admin\AppData\Local\Temp\8dda40a5568292661c1157e6edf3454e9fbf6d2215085b2ac39731276f1e83e3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\8dda40a5568292661c1157e6edf3454e9fbf6d2215085b2ac39731276f1e83e3.exe
      "C:\Users\Admin\AppData\Local\Temp\8dda40a5568292661c1157e6edf3454e9fbf6d2215085b2ac39731276f1e83e3.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:776
  • C:\Users\Admin\AppData\Local\Temp\AFB0.exe
    C:\Users\Admin\AppData\Local\Temp\AFB0.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Local\Temp\AFB0.exe
      C:\Users\Admin\AppData\Local\Temp\AFB0.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1824
  • C:\Users\Admin\AppData\Local\Temp\B359.exe
    C:\Users\Admin\AppData\Local\Temp\B359.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pketgvqg\
      2⤵
        PID:988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kxgdejvi.exe" C:\Windows\SysWOW64\pketgvqg\
        2⤵
          PID:1928
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create pketgvqg binPath= "C:\Windows\SysWOW64\pketgvqg\kxgdejvi.exe /d\"C:\Users\Admin\AppData\Local\Temp\B359.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:852
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description pketgvqg "wifi internet conection"
            2⤵
              PID:908
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start pketgvqg
              2⤵
                PID:1908
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:472
              • C:\Users\Admin\AppData\Local\Temp\C38F.exe
                C:\Users\Admin\AppData\Local\Temp\C38F.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:792
                • C:\Users\Admin\AppData\Local\Temp\C38F.exe
                  C:\Users\Admin\AppData\Local\Temp\C38F.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:748
              • C:\Users\Admin\AppData\Local\Temp\CFA1.exe
                C:\Users\Admin\AppData\Local\Temp\CFA1.exe
                1⤵
                • Executes dropped EXE
                PID:1712
              • C:\Windows\SysWOW64\pketgvqg\kxgdejvi.exe
                C:\Windows\SysWOW64\pketgvqg\kxgdejvi.exe /d"C:\Users\Admin\AppData\Local\Temp\B359.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1596
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:1984

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\AFB0.exe
                MD5

                dc30d438d7c5748beea5480c46adaf19

                SHA1

                3d5072db7d2dce9eb4303f08d8e3aa55ab3af104

                SHA256

                41ca180d1fd61b5ed3a0f18c4e77327c4d0f159f55ca9fb8b2dd98eb894e3056

                SHA512

                4059c65f3e455ca08accff86a04edc5933ab6f46779425e410ddd5acc7b741fc8271bc6cecda637ba47fe7e082ab433c91f23678018dd42761c60a73b0a350f4

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\AFB0.exe
                MD5

                dc30d438d7c5748beea5480c46adaf19

                SHA1

                3d5072db7d2dce9eb4303f08d8e3aa55ab3af104

                SHA256

                41ca180d1fd61b5ed3a0f18c4e77327c4d0f159f55ca9fb8b2dd98eb894e3056

                SHA512

                4059c65f3e455ca08accff86a04edc5933ab6f46779425e410ddd5acc7b741fc8271bc6cecda637ba47fe7e082ab433c91f23678018dd42761c60a73b0a350f4

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\AFB0.exe
                MD5

                dc30d438d7c5748beea5480c46adaf19

                SHA1

                3d5072db7d2dce9eb4303f08d8e3aa55ab3af104

                SHA256

                41ca180d1fd61b5ed3a0f18c4e77327c4d0f159f55ca9fb8b2dd98eb894e3056

                SHA512

                4059c65f3e455ca08accff86a04edc5933ab6f46779425e410ddd5acc7b741fc8271bc6cecda637ba47fe7e082ab433c91f23678018dd42761c60a73b0a350f4

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B359.exe
                MD5

                0a55edab914e130767936df074e0062c

                SHA1

                17eec2280458e5271c4e9f59a304813c97ecc90a

                SHA256

                02d70a156d2e4619dc7e1437fcd59b2ad6002e0d43bb24eeaf897972e94b038d

                SHA512

                bf7c8d795fc55acbe31ed3a1d8766d020b4b880e0be036dd8110fd39e39c708ef31f6c4fe0b971b8370fc4326ebe299940421ceb388898a1da71f20f0dfa885f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B359.exe
                MD5

                0a55edab914e130767936df074e0062c

                SHA1

                17eec2280458e5271c4e9f59a304813c97ecc90a

                SHA256

                02d70a156d2e4619dc7e1437fcd59b2ad6002e0d43bb24eeaf897972e94b038d

                SHA512

                bf7c8d795fc55acbe31ed3a1d8766d020b4b880e0be036dd8110fd39e39c708ef31f6c4fe0b971b8370fc4326ebe299940421ceb388898a1da71f20f0dfa885f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C38F.exe
                MD5

                e850bf7dbab0575d6bcde28710be9192

                SHA1

                9d8c748670b02c2e01c6ad894cacd1dd27ba0814

                SHA256

                c5f10feca7a51c7e54414820d37ca533175a78465578b4b03c531c8422a16db0

                SHA512

                4f181a6e43fc116ad9b5c92b762d7609e620b57e3c19009fe88fbbc3a248495a042d4e92644e333c10cb5c774e5237a9e312690a8c98975a9af029ba85087352

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C38F.exe
                MD5

                e850bf7dbab0575d6bcde28710be9192

                SHA1

                9d8c748670b02c2e01c6ad894cacd1dd27ba0814

                SHA256

                c5f10feca7a51c7e54414820d37ca533175a78465578b4b03c531c8422a16db0

                SHA512

                4f181a6e43fc116ad9b5c92b762d7609e620b57e3c19009fe88fbbc3a248495a042d4e92644e333c10cb5c774e5237a9e312690a8c98975a9af029ba85087352

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C38F.exe
                MD5

                e850bf7dbab0575d6bcde28710be9192

                SHA1

                9d8c748670b02c2e01c6ad894cacd1dd27ba0814

                SHA256

                c5f10feca7a51c7e54414820d37ca533175a78465578b4b03c531c8422a16db0

                SHA512

                4f181a6e43fc116ad9b5c92b762d7609e620b57e3c19009fe88fbbc3a248495a042d4e92644e333c10cb5c774e5237a9e312690a8c98975a9af029ba85087352

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\CFA1.exe
                MD5

                646cc8edbe849bf17c1694d936f7ae6b

                SHA1

                68b8e56cd63da79a8ace5c70f22cd0a6b3672497

                SHA256

                836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7

                SHA512

                92df2e2fcfc8c0c2789222966f09b1c295e2b4d2f5d86a10d513dd05749507792d3df78b5f1d605517bba86cbc48c7ba6c9b54d8aba246a1b2cc0a75f626d9d1

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\kxgdejvi.exe
                MD5

                2628ef09226a9801bf5a1766c9fc0f5a

                SHA1

                94c00195518abaed208953916cad62bb3f707616

                SHA256

                667aa24c7d00ec0f74ad3096fc0a962d8ae852a6b1b2675074f7753455cebceb

                SHA512

                3c7fbb2f03ddd558ac1cfc1b9bce1d22ce3a4e392feef1ab16696fe5c7081a7cdebaa67f19dd3a6ed7f1ea8aecf667cee13d278030412c6414320e223f8b843b

                Download Submit
              • C:\Windows\SysWOW64\pketgvqg\kxgdejvi.exe
                MD5

                2628ef09226a9801bf5a1766c9fc0f5a

                SHA1

                94c00195518abaed208953916cad62bb3f707616

                SHA256

                667aa24c7d00ec0f74ad3096fc0a962d8ae852a6b1b2675074f7753455cebceb

                SHA512

                3c7fbb2f03ddd558ac1cfc1b9bce1d22ce3a4e392feef1ab16696fe5c7081a7cdebaa67f19dd3a6ed7f1ea8aecf667cee13d278030412c6414320e223f8b843b

                Download Submit
              • \Users\Admin\AppData\Local\Temp\AFB0.exe
                MD5

                dc30d438d7c5748beea5480c46adaf19

                SHA1

                3d5072db7d2dce9eb4303f08d8e3aa55ab3af104

                SHA256

                41ca180d1fd61b5ed3a0f18c4e77327c4d0f159f55ca9fb8b2dd98eb894e3056

                SHA512

                4059c65f3e455ca08accff86a04edc5933ab6f46779425e410ddd5acc7b741fc8271bc6cecda637ba47fe7e082ab433c91f23678018dd42761c60a73b0a350f4

                Download Submit
              • \Users\Admin\AppData\Local\Temp\C38F.exe
                MD5

                e850bf7dbab0575d6bcde28710be9192

                SHA1

                9d8c748670b02c2e01c6ad894cacd1dd27ba0814

                SHA256

                c5f10feca7a51c7e54414820d37ca533175a78465578b4b03c531c8422a16db0

                SHA512

                4f181a6e43fc116ad9b5c92b762d7609e620b57e3c19009fe88fbbc3a248495a042d4e92644e333c10cb5c774e5237a9e312690a8c98975a9af029ba85087352

                Download Submit
              • memory/472-97-0x0000000000000000-mapping.dmp
                Download
              • memory/748-99-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/748-101-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/748-109-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/748-100-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/748-102-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/748-103-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/748-106-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/748-104-0x0000000000418EEE-mapping.dmp
                Download
              • memory/776-56-0x0000000000400000-0x0000000000408000-memory.dmp
                Filesize

                32KB

                Download
              • memory/776-58-0x0000000074F61000-0x0000000074F63000-memory.dmp
                Filesize

                8KB

                Download
              • memory/776-57-0x0000000000402DC6-mapping.dmp
                Download
              • memory/792-75-0x0000000001260000-0x0000000001261000-memory.dmp
                Filesize

                4KB

                Download
              • memory/792-65-0x0000000000000000-mapping.dmp
                Download
              • memory/792-85-0x00000000011F0000-0x00000000011F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/852-93-0x0000000000000000-mapping.dmp
                Download
              • memory/908-94-0x0000000000000000-mapping.dmp
                Download
              • memory/988-82-0x0000000000000000-mapping.dmp
                Download
              • memory/1128-77-0x0000000001D4B000-0x0000000001D5C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1128-63-0x0000000000000000-mapping.dmp
                Download
              • memory/1128-80-0x0000000000250000-0x0000000000263000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1128-81-0x0000000000400000-0x0000000001C00000-memory.dmp
                Filesize

                24.0MB

                Download
              • memory/1248-55-0x0000000002D2B000-0x0000000002D3C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1248-59-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1368-60-0x00000000029A0000-0x00000000029B6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1368-98-0x0000000004250000-0x0000000004266000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1468-68-0x000000000028B000-0x000000000029C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1468-61-0x0000000000000000-mapping.dmp
                Download
              • memory/1596-110-0x0000000001C9B000-0x0000000001CAC000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1596-116-0x0000000000400000-0x0000000001C00000-memory.dmp
                Filesize

                24.0MB

                Download
              • memory/1712-83-0x0000000000000000-mapping.dmp
                Download
              • memory/1712-92-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1712-91-0x00000000003C0000-0x00000000003C9000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1712-90-0x00000000003B0000-0x00000000003B9000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1824-72-0x0000000000402DC6-mapping.dmp
                Download
              • memory/1908-95-0x0000000000000000-mapping.dmp
                Download
              • memory/1928-86-0x0000000000000000-mapping.dmp
                Download
              • memory/1984-112-0x00000000000C0000-0x00000000000D5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1984-113-0x00000000000C0000-0x00000000000D5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1984-114-0x00000000000C9A6B-mapping.dmp
                Download