Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
08-12-2021 14:02
Static task
static1
Behavioral task
behavioral1
Sample
a904ea3baeeffecf15272412e0db5657.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
a904ea3baeeffecf15272412e0db5657.exe
Resource
win10-en-20211104
General
-
Target
a904ea3baeeffecf15272412e0db5657.exe
-
Size
278KB
-
MD5
a904ea3baeeffecf15272412e0db5657
-
SHA1
22d418de7d1ca07392be9c5596d1c294854b2d99
-
SHA256
e576d4e4fa5d355d71e9b882c8a1f05f0484e55c6c6df348a043f5df5ff4be22
-
SHA512
c58439beae0faf7077fa97329275afae994ad2c2406c00b86560e3d5b471d046817a872afdd2a2a985e96210378862d5d2593f512e2cffbc5f1bec5bff8edc96
Malware Config
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1548-65-0x0000000000BB0000-0x0000000000C18000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\E6D7.exe family_redline C:\Users\Admin\AppData\Local\Temp\E6D7.exe family_redline behavioral1/memory/1164-95-0x00000000009E0000-0x0000000000A4C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
D2F8.exeE6D7.exe7D0.exe1FC3.exe1FC3.exe1FC3.exepid process 1548 D2F8.exe 1100 E6D7.exe 1164 7D0.exe 1596 1FC3.exe 1908 1FC3.exe 1528 1FC3.exe -
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Loads dropped DLL 3 IoCs
Processes:
1FC3.exe1FC3.exepid process 1208 1596 1FC3.exe 1908 1FC3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
D2F8.exe7D0.exepid process 1548 D2F8.exe 1164 7D0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a904ea3baeeffecf15272412e0db5657.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a904ea3baeeffecf15272412e0db5657.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a904ea3baeeffecf15272412e0db5657.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a904ea3baeeffecf15272412e0db5657.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a904ea3baeeffecf15272412e0db5657.exepid process 1408 a904ea3baeeffecf15272412e0db5657.exe 1408 a904ea3baeeffecf15272412e0db5657.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a904ea3baeeffecf15272412e0db5657.exepid process 1408 a904ea3baeeffecf15272412e0db5657.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
D2F8.exe7D0.exedescription pid process Token: SeDebugPrivilege 1548 D2F8.exe Token: SeDebugPrivilege 1164 7D0.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1208 1208 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1208 1208 -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
1FC3.exe1FC3.exedescription pid process target process PID 1208 wrote to memory of 1548 1208 D2F8.exe PID 1208 wrote to memory of 1548 1208 D2F8.exe PID 1208 wrote to memory of 1548 1208 D2F8.exe PID 1208 wrote to memory of 1548 1208 D2F8.exe PID 1208 wrote to memory of 1548 1208 D2F8.exe PID 1208 wrote to memory of 1548 1208 D2F8.exe PID 1208 wrote to memory of 1548 1208 D2F8.exe PID 1208 wrote to memory of 1100 1208 E6D7.exe PID 1208 wrote to memory of 1100 1208 E6D7.exe PID 1208 wrote to memory of 1100 1208 E6D7.exe PID 1208 wrote to memory of 1100 1208 E6D7.exe PID 1208 wrote to memory of 1164 1208 7D0.exe PID 1208 wrote to memory of 1164 1208 7D0.exe PID 1208 wrote to memory of 1164 1208 7D0.exe PID 1208 wrote to memory of 1164 1208 7D0.exe PID 1208 wrote to memory of 1164 1208 7D0.exe PID 1208 wrote to memory of 1164 1208 7D0.exe PID 1208 wrote to memory of 1164 1208 7D0.exe PID 1208 wrote to memory of 1596 1208 1FC3.exe PID 1208 wrote to memory of 1596 1208 1FC3.exe PID 1208 wrote to memory of 1596 1208 1FC3.exe PID 1596 wrote to memory of 1908 1596 1FC3.exe 1FC3.exe PID 1596 wrote to memory of 1908 1596 1FC3.exe 1FC3.exe PID 1596 wrote to memory of 1908 1596 1FC3.exe 1FC3.exe PID 1908 wrote to memory of 1528 1908 1FC3.exe 1FC3.exe PID 1908 wrote to memory of 1528 1908 1FC3.exe 1FC3.exe PID 1908 wrote to memory of 1528 1908 1FC3.exe 1FC3.exe PID 1908 wrote to memory of 1528 1908 1FC3.exe 1FC3.exe PID 1908 wrote to memory of 1528 1908 1FC3.exe 1FC3.exe PID 1908 wrote to memory of 1528 1908 1FC3.exe 1FC3.exe PID 1908 wrote to memory of 1528 1908 1FC3.exe 1FC3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a904ea3baeeffecf15272412e0db5657.exe"C:\Users\Admin\AppData\Local\Temp\a904ea3baeeffecf15272412e0db5657.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1408
-
C:\Users\Admin\AppData\Local\Temp\D2F8.exeC:\Users\Admin\AppData\Local\Temp\D2F8.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Users\Admin\AppData\Local\Temp\E6D7.exeC:\Users\Admin\AppData\Local\Temp\E6D7.exe1⤵
- Executes dropped EXE
PID:1100
-
C:\Users\Admin\AppData\Local\Temp\7D0.exeC:\Users\Admin\AppData\Local\Temp\7D0.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
C:\Users\Admin\AppData\Local\Temp\1FC3.exeC:\Users\Admin\AppData\Local\Temp\1FC3.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\1FC3.exeC:\Users\Admin\AppData\Local\Temp\1FC3.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\1FC3.exeC:\Users\Admin\AppData\Local\Temp\1FC3.exe3⤵
- Executes dropped EXE
PID:1528
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7ade34e7d74c83cee4c8f288c90128d5
SHA113a4bf57f5777cdd9bfb0d9568392e39d3073ed0
SHA256032bf53a2f8d5b6b4512505a44e67c7c1e80f3f8b063cc78d13f2c78c5fb9bad
SHA512d65732c04d81bb5e947d9ff43bf40dc911659919bd662d24795ddddfcabe91135c71d7fcea2e1980f063827a9b8e51d9f16a0e8e0d3c46dc52df4a58f75b4c69
-
MD5
7ade34e7d74c83cee4c8f288c90128d5
SHA113a4bf57f5777cdd9bfb0d9568392e39d3073ed0
SHA256032bf53a2f8d5b6b4512505a44e67c7c1e80f3f8b063cc78d13f2c78c5fb9bad
SHA512d65732c04d81bb5e947d9ff43bf40dc911659919bd662d24795ddddfcabe91135c71d7fcea2e1980f063827a9b8e51d9f16a0e8e0d3c46dc52df4a58f75b4c69
-
MD5
7ade34e7d74c83cee4c8f288c90128d5
SHA113a4bf57f5777cdd9bfb0d9568392e39d3073ed0
SHA256032bf53a2f8d5b6b4512505a44e67c7c1e80f3f8b063cc78d13f2c78c5fb9bad
SHA512d65732c04d81bb5e947d9ff43bf40dc911659919bd662d24795ddddfcabe91135c71d7fcea2e1980f063827a9b8e51d9f16a0e8e0d3c46dc52df4a58f75b4c69
-
MD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
MD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
MD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
MD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
MD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
MD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
MD5
7ade34e7d74c83cee4c8f288c90128d5
SHA113a4bf57f5777cdd9bfb0d9568392e39d3073ed0
SHA256032bf53a2f8d5b6b4512505a44e67c7c1e80f3f8b063cc78d13f2c78c5fb9bad
SHA512d65732c04d81bb5e947d9ff43bf40dc911659919bd662d24795ddddfcabe91135c71d7fcea2e1980f063827a9b8e51d9f16a0e8e0d3c46dc52df4a58f75b4c69
-
MD5
7ade34e7d74c83cee4c8f288c90128d5
SHA113a4bf57f5777cdd9bfb0d9568392e39d3073ed0
SHA256032bf53a2f8d5b6b4512505a44e67c7c1e80f3f8b063cc78d13f2c78c5fb9bad
SHA512d65732c04d81bb5e947d9ff43bf40dc911659919bd662d24795ddddfcabe91135c71d7fcea2e1980f063827a9b8e51d9f16a0e8e0d3c46dc52df4a58f75b4c69
-
MD5
7ade34e7d74c83cee4c8f288c90128d5
SHA113a4bf57f5777cdd9bfb0d9568392e39d3073ed0
SHA256032bf53a2f8d5b6b4512505a44e67c7c1e80f3f8b063cc78d13f2c78c5fb9bad
SHA512d65732c04d81bb5e947d9ff43bf40dc911659919bd662d24795ddddfcabe91135c71d7fcea2e1980f063827a9b8e51d9f16a0e8e0d3c46dc52df4a58f75b4c69