Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21-12-2021 14:42

General

  • Target

    1b8d2ab90fb38b4bea635316b70b3cdbc4dd4cfbebe16d96b821d32e8f6e1af4.exe

  • Size

    134KB

  • MD5

    c6c75b0d8ae8f6ebecf2d8d2737b5920

  • SHA1

    c56c55b1b767aec1b92e73b68e9813050a61cc5d

  • SHA256

    1b8d2ab90fb38b4bea635316b70b3cdbc4dd4cfbebe16d96b821d32e8f6e1af4

  • SHA512

    94625616f25841e7a092b73e1488c5a4f2b1066ff73fa5cc1503614abca2f5b1641b96b6aefcf58af05b4cf2d7607b4b81dbb6035d0f55dd241f75e2ac52147c

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

mubrikych.top

oxxyfix.xyz

Extracted

Family

redline

Botnet

install

C2

62.182.156.187:56323

Extracted

Family

redline

Botnet

1

C2

86.107.197.138:38133

Extracted

Family

amadey

Version

2.86

C2

2.56.56.210/notAnoob/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Arkei

    Arkei is an infostealer written in C++.

  • Detect Neshta Payload ⋅ 20 IoCs
  • Modifies system executable filetype association ⋅ 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload ⋅ 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass ⋅ 2 TTPs
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Arkei Stealer Payload ⋅ 2 IoCs
  • XMRig Miner Payload ⋅ 1 IoCs
  • Creates new service(s) ⋅ 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE ⋅ 22 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs
  • Sets service image path in registry ⋅ 2 TTPs
  • Deletes itself ⋅ 1 IoCs
  • Loads dropped DLL ⋅ 3 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles ⋅ 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory ⋅ 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 6 IoCs
  • Drops file in Program Files directory ⋅ 64 IoCs
  • Drops file in Windows directory ⋅ 9 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash ⋅ 1 IoCs
  • Checks SCSI registry key(s) ⋅ 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry ⋅ 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe ⋅ 1 IoCs
  • Modifies data under HKEY_USERS ⋅ 12 IoCs