Overview

overview

10

Static

static

a8bef00097...08.exe

windows7_x64

10

a8bef00097...08.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    27-11-2021 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8bef000976a36dd25363d0b8ba4f508.exe

  • Size

    285KB

  • MD5

    a8bef000976a36dd25363d0b8ba4f508

  • SHA1

    d34d922ee3f84ce3e6068f29336001b9f049c795

  • SHA256

    d8c2781c40ac32af37c43c777a5253781950c0ce3b8c05c0d3f50b53e7863d02

  • SHA512

    46b4eb6a935f57715c3cf8539e946553a27cf2e401b1abd4dccdec223c51c9a9e40770f26934587905994e01f2786d85a06319236cdb97aab995a3bccaf63027

Score
10/10
redlinesmokeloadertofseebackdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nalirou70.top/

http://xacokuo80.top/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38655

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8bef000976a36dd25363d0b8ba4f508.exe
    "C:\Users\Admin\AppData\Local\Temp\a8bef000976a36dd25363d0b8ba4f508.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Local\Temp\a8bef000976a36dd25363d0b8ba4f508.exe
      "C:\Users\Admin\AppData\Local\Temp\a8bef000976a36dd25363d0b8ba4f508.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:576
  • C:\Users\Admin\AppData\Local\Temp\F853.exe
    C:\Users\Admin\AppData\Local\Temp\F853.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hbpvhgrc\
      2⤵
        PID:1380
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yujjovbs.exe" C:\Windows\SysWOW64\hbpvhgrc\
        2⤵
          PID:1964
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create hbpvhgrc binPath= "C:\Windows\SysWOW64\hbpvhgrc\yujjovbs.exe /d\"C:\Users\Admin\AppData\Local\Temp\F853.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:884
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description hbpvhgrc "wifi internet conection"
            2⤵
              PID:1948
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start hbpvhgrc
              2⤵
                PID:904
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1600
              • C:\Users\Admin\AppData\Local\Temp\FB60.exe
                C:\Users\Admin\AppData\Local\Temp\FB60.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:824
                • C:\Users\Admin\AppData\Local\Temp\FB60.exe
                  C:\Users\Admin\AppData\Local\Temp\FB60.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1448
                • C:\Users\Admin\AppData\Local\Temp\FB60.exe
                  C:\Users\Admin\AppData\Local\Temp\FB60.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:848
              • C:\Users\Admin\AppData\Local\Temp\2C1.exe
                C:\Users\Admin\AppData\Local\Temp\2C1.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:996
              • C:\Windows\SysWOW64\hbpvhgrc\yujjovbs.exe
                C:\Windows\SysWOW64\hbpvhgrc\yujjovbs.exe /d"C:\Users\Admin\AppData\Local\Temp\F853.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1076
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:1508
              • C:\Users\Admin\AppData\Local\Temp\5B3D.exe
                C:\Users\Admin\AppData\Local\Temp\5B3D.exe
                1⤵
                • Executes dropped EXE
                PID:1928
              • C:\Windows\system32\regsvr32.exe
                regsvr32 /s C:\Users\Admin\AppData\Local\Temp\61E3.dll
                1⤵
                • Loads dropped DLL
                PID:984

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\2C1.exe
                MD5

                646cc8edbe849bf17c1694d936f7ae6b

                SHA1

                68b8e56cd63da79a8ace5c70f22cd0a6b3672497

                SHA256

                836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7

                SHA512

                92df2e2fcfc8c0c2789222966f09b1c295e2b4d2f5d86a10d513dd05749507792d3df78b5f1d605517bba86cbc48c7ba6c9b54d8aba246a1b2cc0a75f626d9d1

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\5B3D.exe
                MD5

                826e8b6405bc3909e664250896926135

                SHA1

                99daeef85f72112eb3145a6209c3c653fb620036

                SHA256

                c9f7bfeb926d16bfb7dcdb0fd8c768eb0cef9ecb1904426005d9a599bd976b8b

                SHA512

                5d76b7e85c8f4d088cce62044e597e693cef9a2da3cf3185f0fe714c3a64387cba03847f44ce009696ed04e18be0e90a0733ce772c0804e0e8800ad8f2eda4a2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\61E3.dll
                MD5

                826ee7fb2a01664b3de92d65e2329d3d

                SHA1

                82f146d6542a0b2741c5b750bc6ed1675358c7fe

                SHA256

                cbd830c745bbec26733214798fe144c61ef4bac342c853f8a08b682077b2178b

                SHA512

                1773e703be227df86e60cdd0586f924a41861a14be17ff285bf5bb8a17fa0de4c61d752b9b1d229a3e9023fcfa9d39756c817e9d7e2f1b4d3491a4636d2566ae

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\F853.exe
                MD5

                ac7988f4e59d807f41a4a2163538fd46

                SHA1

                ab29b1ea7a76e8c9dfb61a8827e3c617416df95f

                SHA256

                0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2

                SHA512

                cd9441be653eac1eb54647abbca76162abdf2618b44ded7b710e9a5fb5af5a1f4bb221f1e85e4ede43c66ea60e0a82d2ce627414b93f731478f9c5fff2cf5130

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\F853.exe
                MD5

                ac7988f4e59d807f41a4a2163538fd46

                SHA1

                ab29b1ea7a76e8c9dfb61a8827e3c617416df95f

                SHA256

                0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2

                SHA512

                cd9441be653eac1eb54647abbca76162abdf2618b44ded7b710e9a5fb5af5a1f4bb221f1e85e4ede43c66ea60e0a82d2ce627414b93f731478f9c5fff2cf5130

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\FB60.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\FB60.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\FB60.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\FB60.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\yujjovbs.exe
                MD5

                5f140223dac0fe9ef29920ebdf32e86f

                SHA1

                0da30497f6e221f319b943b24e64e18403496973

                SHA256

                ffb28be5f166766898d28131ffb2699302193c9ff3625da461545cfabb187bad

                SHA512

                7cb23e5c81d2a00f7bc4810a29460ca313c52521f58d74627f6d5d5f71d7e71aa5d6abdc1fc07687aed33f1119dae214b5dd45935af5c8986a91d08a42fb4002

                Download Submit
              • C:\Windows\SysWOW64\hbpvhgrc\yujjovbs.exe
                MD5

                5f140223dac0fe9ef29920ebdf32e86f

                SHA1

                0da30497f6e221f319b943b24e64e18403496973

                SHA256

                ffb28be5f166766898d28131ffb2699302193c9ff3625da461545cfabb187bad

                SHA512

                7cb23e5c81d2a00f7bc4810a29460ca313c52521f58d74627f6d5d5f71d7e71aa5d6abdc1fc07687aed33f1119dae214b5dd45935af5c8986a91d08a42fb4002

                Download Submit
              • \Users\Admin\AppData\Local\Temp\61E3.dll
                MD5

                826ee7fb2a01664b3de92d65e2329d3d

                SHA1

                82f146d6542a0b2741c5b750bc6ed1675358c7fe

                SHA256

                cbd830c745bbec26733214798fe144c61ef4bac342c853f8a08b682077b2178b

                SHA512

                1773e703be227df86e60cdd0586f924a41861a14be17ff285bf5bb8a17fa0de4c61d752b9b1d229a3e9023fcfa9d39756c817e9d7e2f1b4d3491a4636d2566ae

                Download Submit
              • \Users\Admin\AppData\Local\Temp\FB60.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • \Users\Admin\AppData\Local\Temp\FB60.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • memory/576-58-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/576-57-0x0000000000402DC6-mapping.dmp
                Download
              • memory/576-56-0x0000000000400000-0x0000000000408000-memory.dmp
                Filesize

                32KB

                Download
              • memory/824-66-0x0000000000D00000-0x0000000000D01000-memory.dmp
                Filesize

                4KB

                Download
              • memory/824-69-0x0000000000C70000-0x0000000000C71000-memory.dmp
                Filesize

                4KB

                Download
              • memory/824-63-0x0000000000000000-mapping.dmp
                Download
              • memory/848-94-0x0000000000418EEE-mapping.dmp
                Download
              • memory/848-93-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/848-88-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/848-96-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/848-102-0x0000000004A10000-0x0000000004A11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/848-91-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/848-92-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/848-90-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/884-86-0x0000000000000000-mapping.dmp
                Download
              • memory/904-89-0x0000000000000000-mapping.dmp
                Download
              • memory/944-59-0x00000000001B0000-0x00000000001B9000-memory.dmp
                Filesize

                36KB

                Download
              • memory/944-55-0x000000000030B000-0x000000000031C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/984-112-0x0000000000000000-mapping.dmp
                Download
              • memory/984-113-0x000007FEFC371000-0x000007FEFC373000-memory.dmp
                Filesize

                8KB

                Download
              • memory/996-70-0x0000000000000000-mapping.dmp
                Download
              • memory/996-75-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/996-74-0x0000000000240000-0x0000000000249000-memory.dmp
                Filesize

                36KB

                Download
              • memory/996-73-0x0000000000230000-0x0000000000239000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1076-103-0x000000000024B000-0x000000000025C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1076-109-0x0000000000400000-0x000000000322A000-memory.dmp
                Filesize

                46.2MB

                Download
              • memory/1088-82-0x00000000001B0000-0x00000000001C3000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1088-83-0x0000000000400000-0x000000000322A000-memory.dmp
                Filesize

                46.2MB

                Download
              • memory/1088-61-0x0000000000000000-mapping.dmp
                Download
              • memory/1088-76-0x000000000030B000-0x000000000031C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1268-98-0x0000000003EB0000-0x0000000003EC6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1268-60-0x00000000021A0000-0x00000000021B6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1380-79-0x0000000000000000-mapping.dmp
                Download
              • memory/1508-105-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1508-107-0x0000000000089A6B-mapping.dmp
                Download
              • memory/1508-106-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1600-99-0x0000000000000000-mapping.dmp
                Download
              • memory/1928-110-0x0000000000000000-mapping.dmp
                Download
              • memory/1948-87-0x0000000000000000-mapping.dmp
                Download
              • memory/1964-84-0x0000000000000000-mapping.dmp
                Download