51e44507c4d4459f9afb6304d926f4a7.exe

Target

Size

326KB

Sample

211226-kce9esbda5

Score

10 ^/10

MD5

51e44507c4d4459f9afb6304d926f4a7

SHA1

d1d770b4e7b7dab43b74362ffcbf3aed81115c7c

SHA256

0a3eeb453ba4b4728d686d4c79b3131d5117f112ce48c024b694b148510de40e

SHA512

be45d3099974c1e5062bf9f3f152c3d43a1ff034f863f10061106b835d794d1a9b40871550bc2f0418de1f388900ec39fc3147261892267ed66d55ae93aadc4d

Extracted

Family	smokeloader
Version	2020
C2	http://host-data-coin-11.com/ http://file-coin-host-12.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/ http://host-data-coin-11.com/ http://file-coin-host-12.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family	tofsee
C2	parubey.info patmushta.info parubey.info patmushta.info

Extracted

Family	redline
Botnet	1
C2	86.107.197.138:38133 86.107.197.138:38133

Extracted

Family	raccoon
Botnet	10da56e7e71e97bdc1f36eb76813bbc3231de7e4
Attributes	url4cnc http://194.180.174.53/capibar http://91.219.236.18/capibar http://194.180.174.41/capibar http://91.219.236.148/capibar https://t.me/capibar
rc4.plain
rc4.plain

Target

51e44507c4d4459f9afb6304d926f4a7.exe

MD5

51e44507c4d4459f9afb6304d926f4a7

Filesize

326KB

Score

10^/10

SHA1

d1d770b4e7b7dab43b74362ffcbf3aed81115c7c

SHA256

0a3eeb453ba4b4728d686d4c79b3131d5117f112ce48c024b694b148510de40e

SHA512

be45d3099974c1e5062bf9f3f152c3d43a1ff034f863f10061106b835d794d1a9b40871550bc2f0418de1f388900ec39fc3147261892267ed66d55ae93aadc4d

Signatures

Arkei
Description

Arkei is an infostealer written in C++.
Tags

stealer arkei
Raccoon
Description

Simple but powerful infostealer which was very active in 2019.
Tags

stealer raccoon
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
SmokeLoader
Description

Modular backdoor trojan in use since 2014.
Tags

trojan backdoor smokeloader
Tofsee
Description

Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
Tags

trojan tofsee
Windows security bypass
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
xmrig
Description

XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags

miner xmrig
Arkei Stealer Payload
Tags

stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
XMRig Miner Payload
Tags

miner
Creates new service(s)
Tags

persistence

TTPs

New Service
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
Sets service image path in registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses Microsoft Outlook profiles
Tags

collection

TTPs

Email Collection
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Legitimate hosting services abused for malware hosting/C2
TTPs

Web Service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

behavioral1

arkei raccoon redline smokeloader tofsee xmrig 1 10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor collection discovery evasion infostealer miner persistence spyware stealer trojan

10^/10

behavioral2

arkei raccoon redline smokeloader tofsee xmrig 1 10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor collection discovery evasion infostealer miner persistence spyware stealer trojan

10^/10

Extracted

Extracted

Extracted

Extracted

Tags

Signatures

Arkei

Description

Tags

Raccoon

Description

Tags

RedLine

Description

Tags

RedLine Payload

SmokeLoader

Description

Tags

Tofsee

Description

Tags

Windows security bypass

Tags

TTPs

xmrig

Description

Tags

Arkei Stealer Payload

Tags

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

TTPs

XMRig Miner Payload

Tags

Creates new service(s)

Tags

TTPs

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Tags

TTPs

Sets service image path in registry

Tags

TTPs

Checks BIOS information in registry

Description

TTPs

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Description

Tags

TTPs

Accesses Microsoft Outlook profiles

Tags

TTPs

Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

TTPs

Checks installed software on the system

Description

Tags

TTPs

Checks whether UAC is enabled

Tags

TTPs

Legitimate hosting services abused for malware hosting/C2

TTPs

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2