Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe
Resource
win10-en-20211208
General
-
Target
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe
-
Size
289KB
-
MD5
e18d00380ca446a2e8e9b6ba9f4bc10c
-
SHA1
c012d7c5a8374805c31cf3dd3bfe52af562e704c
-
SHA256
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b
-
SHA512
ae9738815e1d6673a4a6de2d97309a4c46235cfc038789e82d1a228353e6ddbcaeadd4523b7fbd4a732d19efed8d4235d87166640b3ef94a117801577bce1fee
Malware Config
Extracted
smokeloader
2020
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
Extracted
redline
45.32.171.34:42954
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-64-0x0000000002060000-0x000000000209E000-memory.dmp family_redline behavioral1/memory/1324-68-0x00000000020A0000-0x00000000020DA000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
E3E9.exepid process 1324 E3E9.exe -
Deletes itself 1 IoCs
Processes:
pid process 1228 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exepid process 832 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe 832 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1228 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exepid process 832 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
E3E9.exedescription pid process Token: SeDebugPrivilege 1324 E3E9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
description pid process target process PID 1228 wrote to memory of 1324 1228 E3E9.exe PID 1228 wrote to memory of 1324 1228 E3E9.exe PID 1228 wrote to memory of 1324 1228 E3E9.exe PID 1228 wrote to memory of 1324 1228 E3E9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe"C:\Users\Admin\AppData\Local\Temp\36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E3E9.exeC:\Users\Admin\AppData\Local\Temp\E3E9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E3E9.exeMD5
a7e31a1a4ef916d45f6cea16f383605a
SHA121f3adb10382136b80e020d91979c57bbdc06595
SHA25678036f7fbb657ea16be0810cd7522f790d72dde3cd060f106d48d947addd5ffd
SHA51234d6781d76a058bfb44a451d48d3bd4cf1ba1f72c1d5218ec4a8963e289940242ce080513d171ab4fe9497c4071100a0f8489cee611677b676c12b3585a96b37
-
memory/832-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB
-
memory/832-57-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/832-56-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/832-58-0x0000000000400000-0x0000000002B7E000-memory.dmpFilesize
39.5MB
-
memory/1228-59-0x0000000002220000-0x0000000002236000-memory.dmpFilesize
88KB
-
memory/1324-61-0x0000000000510000-0x000000000055D000-memory.dmpFilesize
308KB
-
memory/1324-62-0x00000000002E0000-0x0000000000325000-memory.dmpFilesize
276KB
-
memory/1324-63-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1324-64-0x0000000002060000-0x000000000209E000-memory.dmpFilesize
248KB
-
memory/1324-65-0x00000000049D1000-0x00000000049D2000-memory.dmpFilesize
4KB
-
memory/1324-67-0x00000000049D3000-0x00000000049D4000-memory.dmpFilesize
4KB
-
memory/1324-66-0x00000000049D2000-0x00000000049D3000-memory.dmpFilesize
4KB
-
memory/1324-68-0x00000000020A0000-0x00000000020DA000-memory.dmpFilesize
232KB
-
memory/1324-70-0x00000000049D4000-0x00000000049D6000-memory.dmpFilesize
8KB