General
-
Target
9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004
-
Size
273KB
-
Sample
211204-v87cwsbdcr
-
MD5
38f9a81be1276b23e05238b43e0bffff
-
SHA1
e52e5c1c7aa8dc6e8b3a75553815cffe588f8010
-
SHA256
9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004
-
SHA512
dcc08ff8a03dddc70ef7e640a710a4ef3b342a9aa2c75c299b5327f806b04014eda30448c9fae5a295025fffdba9eb320ebbe78d9ebb93775a035a3cda13b0ee
Static task
static1
Behavioral task
behavioral1
Sample
9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004.exe
Resource
win10-en-20211014
Malware Config
Extracted
C:\read-me.txt
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
http://helpqvrg3cc5mvb3.onion/
Extracted
C:\Boot\bg-BG\Read_Me.txt
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101UMNFWDKQ
https://yip.su/2QstD5
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://planilhasvba.com.br/wp-admin/js/k/index.php
http://rpk32ubon.ac.th/backup/k/index.php
http://4urhappiness.com/app/k/index.php
http://swedenkhabar.com/wp-admin/js/k/index.php
http://cio.lankapanel.net/wp-admin/js/k/index.php
http://fcmsites.com.br/canal/wp-admin/js/k/index.php
http://lacoibipitanga.com.br/maxart/k/index.php
http://lacoibipitanga.com.br/cgi-bin/k/index.php
http://video.nalahotel.com/k/index.php
http://diving-phocea.com/wp-admin/k/index.php
http://phocea-sudan.com/cgi-bin/k/index.php
http://rpk32ubon.ac.th/wp-admin/js/k/index.php
https://www.twinrealty.com/vworker/k/index.php
Extracted
raccoon
1.8.3-hotfix
8b6023dd139bdc34aab99c286fae23d1442b4956
-
url4cnc
http://91.219.236.27/h_electricryptors2
http://5.181.156.92/h_electricryptors2
http://91.219.236.207/h_electricryptors2
http://185.225.19.18/h_electricryptors2
http://91.219.237.227/h_electricryptors2
https://t.me/h_electricryptors2
Extracted
raccoon
1.8.3-hotfix
b620be4c85b4051a92040003edbc322be4eb082d
-
url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Extracted
raccoon
1.8.3-hotfix
b2ef6df07cefd70742a1d2de874b0494a6c0af23
-
url4cnc
http://94.158.245.137/lesterri2
http://91.219.236.27/lesterri2
http://94.158.245.167/lesterri2
http://185.163.204.216/lesterri2
http://185.225.19.238/lesterri2
http://185.163.204.218/lesterri2
https://t.me/lesterri2
Extracted
raccoon
1.8.3-hotfix
a1fcef6b211f7efaa652483b438c193569359f50
-
url4cnc
http://94.158.245.137/duglassa1
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Targets
-
-
Target
9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004
-
Size
273KB
-
MD5
38f9a81be1276b23e05238b43e0bffff
-
SHA1
e52e5c1c7aa8dc6e8b3a75553815cffe588f8010
-
SHA256
9e8ba95bed5615d34a687d76d53ea6c1a4409b977f06478c95ed6af174d89004
-
SHA512
dcc08ff8a03dddc70ef7e640a710a4ef3b342a9aa2c75c299b5327f806b04014eda30448c9fae5a295025fffdba9eb320ebbe78d9ebb93775a035a3cda13b0ee
Score10/10cryptbotlimeratraccoonredlinesmokeloader8b6023dd139bdc34aab99c286fae23d1442b4956a1fcef6b211f7efaa652483b438c193569359f50b2ef6df07cefd70742a1d2de874b0494a6c0af23b620be4c85b4051a92040003edbc322be4eb082dbackdoorcollectiondiscoveryevasioninfostealerpersistenceransomwareratspywarestealersuricatatrojanupx-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)
suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Virtualization/Sandbox Evasion
1Hidden Files and Directories
2Modify Registry
1