5eff8ead8ac7a73394a558155f2cf92f.exe

Target

Size

330KB

Sample

211226-j81dssbch9

Score

10 ^/10

MD5

5eff8ead8ac7a73394a558155f2cf92f

SHA1

65d6f7d0c8380ab506eba103abd2510022568ea3

SHA256

517836d1bd7e3ad8653520e36336e541d1a3d696f80554c00d43848a66cba9db

SHA512

ca4acbca6ef2d1b926105ce06cd1b45972f0cb21d7daff78def0f3e7ce0deb95021802c51d08f49bc325e08a97ebf94b21cdd52aaf529d21942734900e117c96

Extracted

Family	smokeloader
Version	2020
C2	http://host-data-coin-11.com/ http://file-coin-host-12.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/ http://host-data-coin-11.com/ http://file-coin-host-12.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family	tofsee
C2	parubey.info patmushta.info parubey.info patmushta.info

Extracted

Family	redline
Botnet	1
C2	86.107.197.138:38133 86.107.197.138:38133

Extracted

Family	raccoon
Botnet	10da56e7e71e97bdc1f36eb76813bbc3231de7e4
Attributes	url4cnc http://194.180.174.53/capibar http://91.219.236.18/capibar http://194.180.174.41/capibar http://91.219.236.148/capibar https://t.me/capibar
rc4.plain
rc4.plain

Target

5eff8ead8ac7a73394a558155f2cf92f.exe

MD5

5eff8ead8ac7a73394a558155f2cf92f

Filesize

330KB

Score

10^/10

SHA1

65d6f7d0c8380ab506eba103abd2510022568ea3

SHA256

517836d1bd7e3ad8653520e36336e541d1a3d696f80554c00d43848a66cba9db

SHA512

ca4acbca6ef2d1b926105ce06cd1b45972f0cb21d7daff78def0f3e7ce0deb95021802c51d08f49bc325e08a97ebf94b21cdd52aaf529d21942734900e117c96

Signatures

Arkei
Description

Arkei is an infostealer written in C++.
Tags

stealer arkei
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Tofsee
Description

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
Tags

trojan tofsee
Windows security bypass
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
xmrig
Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags

miner xmrig
Arkei Stealer Payload
Tags

stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
XMRig Miner Payload
Tags

miner
Creates new service(s)
Tags

persistence

TTPs

New Service
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Sets service image path in registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses Microsoft Outlook profiles
Tags

collection

TTPs

Email Collection
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

behavioral1

raccoon redline smokeloader tofsee xmrig 1 10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor collection discovery evasion infostealer miner persistence spyware stealer trojan

10^/10

behavioral2

arkei raccoon redline smokeloader tofsee xmrig 1 10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor collection discovery evasion infostealer miner persistence spyware stealer trojan

10^/10

Extracted

Extracted

Extracted

Extracted

Tags

Signatures

Arkei

Description

Tags

Raccoon

Description

Tags

RedLine

Description

Tags

RedLine Payload

SmokeLoader

Description

Tags

Tofsee

Description

Tags

Windows security bypass

Tags

TTPs

xmrig

Description

Tags

Arkei Stealer Payload

Tags

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

TTPs

XMRig Miner Payload

Tags

Creates new service(s)

Tags

TTPs

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Tags

TTPs

Sets service image path in registry

Tags

TTPs

Checks BIOS information in registry

Description

TTPs

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Description

Tags

TTPs

Accesses Microsoft Outlook profiles

Tags

TTPs

Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

TTPs

Checks installed software on the system

Description

Tags

TTPs

Checks whether UAC is enabled

Tags

TTPs

Legitimate hosting services abused for malware hosting/C2

TTPs

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2