Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 10:52
General
-
Target
7f98e524346266f8018ba22eaa6113d1.exe
-
Size
319KB
-
MD5
7f98e524346266f8018ba22eaa6113d1
-
SHA1
e778147c2e2c434ba997e96cd4d76dd4cb84ca42
-
SHA256
d6b47354dff2693d279b357d0901496908922679207ebef447e78160cd45bdf3
-
SHA512
1b1615a9753f8eafdafd9381265ef78e2e7bef3e1f26553ceb8d9c734a0cfbb83eb33ef488d927c53093dfd644ab8ce11203aa2aa69a0384cdafcedff9df4bcd
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f98e524346266f8018ba22eaa6113d1.exe"C:\Users\Admin\AppData\Local\Temp\7f98e524346266f8018ba22eaa6113d1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7f98e524346266f8018ba22eaa6113d1.exe"C:\Users\Admin\AppData\Local\Temp\7f98e524346266f8018ba22eaa6113d1.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\8F64.exeC:\Users\Admin\AppData\Local\Temp\8F64.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8F64.exeC:\Users\Admin\AppData\Local\Temp\8F64.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\935.exeC:\Users\Admin\AppData\Local\Temp\935.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C23.exeC:\Users\Admin\AppData\Local\Temp\C23.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8F64.exeMD5
830c02c39498ddbd7494ba8f0bc8fff2
SHA107dce439f86e555b436bd573c33a118ea6a893d0
SHA2561fbcd71bd94633e2bfe36fdcb3af542562334fc61d52a5d2ecb9839e9e1a3e11
SHA512ee82659d917d374f7f881b3c768f04a5f28251de2fa4bc98ae6c502c848be8775dd1ff33e492d3f002c32e30ffd8f91cd20be60c7f9ea18c21e0fc18093b7c20
-
C:\Users\Admin\AppData\Local\Temp\8F64.exeMD5
830c02c39498ddbd7494ba8f0bc8fff2
SHA107dce439f86e555b436bd573c33a118ea6a893d0
SHA2561fbcd71bd94633e2bfe36fdcb3af542562334fc61d52a5d2ecb9839e9e1a3e11
SHA512ee82659d917d374f7f881b3c768f04a5f28251de2fa4bc98ae6c502c848be8775dd1ff33e492d3f002c32e30ffd8f91cd20be60c7f9ea18c21e0fc18093b7c20
-
C:\Users\Admin\AppData\Local\Temp\8F64.exeMD5
830c02c39498ddbd7494ba8f0bc8fff2
SHA107dce439f86e555b436bd573c33a118ea6a893d0
SHA2561fbcd71bd94633e2bfe36fdcb3af542562334fc61d52a5d2ecb9839e9e1a3e11
SHA512ee82659d917d374f7f881b3c768f04a5f28251de2fa4bc98ae6c502c848be8775dd1ff33e492d3f002c32e30ffd8f91cd20be60c7f9ea18c21e0fc18093b7c20
-
C:\Users\Admin\AppData\Local\Temp\935.exeMD5
bce50d5b17bb88f22f0000511026520d
SHA1599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA25677e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536
-
C:\Users\Admin\AppData\Local\Temp\C23.exeMD5
0cefed061e2a2241ecd302d7790a2f80
SHA15f119195af2db118c5fbac21634bea00f5d5b8da
SHA256014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA5127b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba
-
C:\Users\Admin\AppData\Local\Temp\C23.exeMD5
0cefed061e2a2241ecd302d7790a2f80
SHA15f119195af2db118c5fbac21634bea00f5d5b8da
SHA256014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA5127b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba
-
\Users\Admin\AppData\Local\Temp\8F64.exeMD5
830c02c39498ddbd7494ba8f0bc8fff2
SHA107dce439f86e555b436bd573c33a118ea6a893d0
SHA2561fbcd71bd94633e2bfe36fdcb3af542562334fc61d52a5d2ecb9839e9e1a3e11
SHA512ee82659d917d374f7f881b3c768f04a5f28251de2fa4bc98ae6c502c848be8775dd1ff33e492d3f002c32e30ffd8f91cd20be60c7f9ea18c21e0fc18093b7c20
-
memory/608-61-0x0000000000000000-mapping.dmp
-
memory/608-63-0x0000000000958000-0x0000000000969000-memory.dmpFilesize
68KB
-
memory/768-57-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/768-59-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/768-58-0x0000000000402F47-mapping.dmp
-
memory/1156-67-0x0000000000402F47-mapping.dmp
-
memory/1224-88-0x0000000001020000-0x0000000001021000-memory.dmpFilesize
4KB
-
memory/1224-91-0x0000000073D80000-0x0000000073E00000-memory.dmpFilesize
512KB
-
memory/1224-98-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/1224-73-0x0000000000000000-mapping.dmp
-
memory/1224-97-0x0000000075030000-0x0000000075065000-memory.dmpFilesize
212KB
-
memory/1224-96-0x0000000074A70000-0x0000000074A87000-memory.dmpFilesize
92KB
-
memory/1224-95-0x0000000075C50000-0x000000007689A000-memory.dmpFilesize
12.3MB
-
memory/1224-77-0x0000000074B70000-0x0000000074BBA000-memory.dmpFilesize
296KB
-
memory/1224-80-0x0000000001020000-0x0000000001089000-memory.dmpFilesize
420KB
-
memory/1224-81-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1224-83-0x0000000076980000-0x0000000076A2C000-memory.dmpFilesize
688KB
-
memory/1224-84-0x0000000076F00000-0x0000000076F47000-memory.dmpFilesize
284KB
-
memory/1224-85-0x00000000753F0000-0x0000000075447000-memory.dmpFilesize
348KB
-
memory/1224-87-0x0000000076A30000-0x0000000076B8C000-memory.dmpFilesize
1.4MB
-
memory/1224-92-0x0000000000120000-0x0000000000165000-memory.dmpFilesize
276KB
-
memory/1224-90-0x0000000076F50000-0x0000000076FDF000-memory.dmpFilesize
572KB
-
memory/1272-71-0x0000000000000000-mapping.dmp
-
memory/1272-93-0x0000000001BC0000-0x0000000001C4F000-memory.dmpFilesize
572KB
-
memory/1272-94-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1272-78-0x000000000026B000-0x00000000002BA000-memory.dmpFilesize
316KB
-
memory/1412-60-0x00000000025C0000-0x00000000025D6000-memory.dmpFilesize
88KB
-
memory/1412-70-0x0000000002AD0000-0x0000000002AE6000-memory.dmpFilesize
88KB
-
memory/1472-55-0x0000000000698000-0x00000000006A9000-memory.dmpFilesize
68KB
-
memory/1472-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB