General
-
Target
db31806cc7eacb4af123f8830cd1cb931c637250a1f393f4b1df6a407daa7cf0
-
Size
291KB
-
Sample
211224-p623haebe5
-
MD5
55a10b4224a945cf4b7124e0b5c8c1e2
-
SHA1
dc3ee2bb2b5d4d5ed52721827b4f3fdc71058464
-
SHA256
db31806cc7eacb4af123f8830cd1cb931c637250a1f393f4b1df6a407daa7cf0
-
SHA512
5a58493d837fbdf56d9adb2f5422287f3fa1a816148caabee1e5b730c6d8af748d5ee46e495a2adcbe1d33b1740ea30fc734d28009ca007ffa2a984479c21631
Static task
static1
Behavioral task
behavioral1
Sample
db31806cc7eacb4af123f8830cd1cb931c637250a1f393f4b1df6a407daa7cf0.exe
Resource
win10-en-20211208
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
tofsee
mubrikych.top
oxxyfix.xyz
Extracted
redline
1
86.107.197.138:38133
Extracted
amadey
3.01
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
10da56e7e71e97bdc1f36eb76813bbc3231de7e4
-
url4cnc
http://194.180.174.53/capibar
http://91.219.236.18/capibar
http://194.180.174.41/capibar
http://91.219.236.148/capibar
https://t.me/capibar
Extracted
amadey
2.86
2.56.56.210/notAnoob/index.php
Targets
-
-
Target
db31806cc7eacb4af123f8830cd1cb931c637250a1f393f4b1df6a407daa7cf0
-
Size
291KB
-
MD5
55a10b4224a945cf4b7124e0b5c8c1e2
-
SHA1
dc3ee2bb2b5d4d5ed52721827b4f3fdc71058464
-
SHA256
db31806cc7eacb4af123f8830cd1cb931c637250a1f393f4b1df6a407daa7cf0
-
SHA512
5a58493d837fbdf56d9adb2f5422287f3fa1a816148caabee1e5b730c6d8af748d5ee46e495a2adcbe1d33b1740ea30fc734d28009ca007ffa2a984479c21631
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Data from Local System
2Command and Control
Credential Access
Credentials in Files
2Discovery
Query Registry
5System Information Discovery
5Peripheral Device Discovery
2Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Modify Existing Service
1Change Default File Association
1New Service
1Scheduled Task
1Registry Run Keys / Startup Folder
2Privilege Escalation