Overview

overview

10

Static

static

0da6fa4b33...0f.exe

windows7_x64

10

0da6fa4b33...0f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294212s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    12-03-2022 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe

  • Size

    234KB

  • MD5

    c84fc9842b288932a1c1cc8f1371ea21

  • SHA1

    2e048768e866cb00596b3b6718956d0ff070f615

  • SHA256

    0da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb

  • SHA512

    04eedd48ac09195da84eb9d7b7fb37a77f9ebc13cbb9f342a33e3d1e821536622ae90d3c29c2c76b68cb2076eea7f627e84b34a5fb4b5f6cd3924fa749be9a46

Score
10/10
raccoonredlinesmokeloaderccba3157b9f42051adf38fbb8f5d0aca7f2b7366wwbackdoordiscoveryinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://coralee.at/upload/

http://ducvietcao.com/upload/

http://biz-acc.ru/upload/

http://toimap.com/upload/

http://bbb7d.com/upload/

http://piratia-life.ru/upload/

http://curvreport.com/upload/

http://viagratos.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

ww

C2

193.106.191.67:44400

Attributes
  • auth_value

    5a1b28ccd05953f5c3f99729c12427cc

Extracted

Family

raccoon

Botnet

ccba3157b9f42051adf38fbb8f5d0aca7f2b7366

Attributes
  • url4cnc

    http://185.163.204.81/nui8xtgen

    http://194.180.191.33/nui8xtgen

    http://174.138.11.98/nui8xtgen

    http://194.180.191.44/nui8xtgen

    http://91.219.236.120/nui8xtgen

    https://t.me/nui8xtgen

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

    suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6

    suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
    "C:\Users\Admin\AppData\Local\Temp\0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1564
  • C:\Users\Admin\AppData\Local\Temp\EBF4.exe
    C:\Users\Admin\AppData\Local\Temp\EBF4.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\syswow64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 280
        3⤵
        • Program crash
        PID:1044
  • C:\Users\Admin\AppData\Local\Temp\257C.exe
    C:\Users\Admin\AppData\Local\Temp\257C.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1616
  • C:\Users\Admin\AppData\Local\Temp\6C1D.exe
    C:\Users\Admin\AppData\Local\Temp\6C1D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 412
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\257C.exe
    MD5

    a5a06797f4a594578320a4dacfcf8922

    SHA1

    ddcde41d7dd3d4090d5ddd9f97ccfcb620af6f83

    SHA256

    226df6b92ea8c7a4a9b746f899aeaec4cfbe90bf8911c6ebc1c9439a64bc8ba4

    SHA512

    3f71f226b0614c966e1483c4a5a5390abe20bf7f3ce9e489d94ecbe647aabd5a450da5670d73bc1685460a6252e64cff35d974519e8a5c63b6d0ceb75ca39dc6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\EBF4.exe
    MD5

    5db4e7f04bb163a1337f216ee2076568

    SHA1

    d1f09aadd4d7583c18a5dbe889477179718de362

    SHA256

    12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

    SHA512

    2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6C1D.exe
    MD5

    e86f1cd73f0be7895872a04dcdfb7766

    SHA1

    3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

    SHA256

    e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

    SHA512

    8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

    Download Submit
  • memory/564-64-0x00000000020A0000-0x00000000022BD000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/564-65-0x0000000000400000-0x0000000000629000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/564-63-0x00000000002E0000-0x00000000003BC000-memory.dmp
    Filesize

    880KB

    Download
  • memory/564-62-0x0000000000400000-0x0000000000629000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/564-91-0x0000000076EE0000-0x0000000077060000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/564-61-0x00000000002E0000-0x00000000003BC000-memory.dmp
    Filesize

    880KB

    Download
  • memory/1364-59-0x0000000002750000-0x0000000002766000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1564-58-0x0000000000400000-0x000000000046B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/1564-56-0x00000000002CE000-0x00000000002D7000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1564-57-0x00000000001C0000-0x00000000001C9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1564-55-0x0000000075421000-0x0000000075423000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1564-54-0x00000000002CE000-0x00000000002D7000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1592-131-0x000000000063E000-0x000000000068E000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1592-129-0x000000000063E000-0x000000000068E000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1592-133-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/1592-132-0x00000000004C0000-0x0000000000552000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1616-127-0x0000000002204000-0x0000000002206000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1616-120-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1616-122-0x0000000000880000-0x00000000008B4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1616-126-0x0000000001FD0000-0x0000000002002000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1616-121-0x0000000072C00000-0x00000000732EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1616-125-0x0000000002203000-0x0000000002204000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-123-0x0000000002201000-0x0000000002202000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-124-0x0000000002202000-0x0000000002203000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-119-0x0000000000220000-0x0000000000259000-memory.dmp
    Filesize

    228KB

    Download
  • memory/1616-118-0x000000000060E000-0x000000000063A000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1616-117-0x000000000060E000-0x000000000063A000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2004-115-0x0000000076740000-0x0000000076840000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2004-69-0x0000000000250000-0x0000000000253000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2004-67-0x0000000000250000-0x0000000000253000-memory.dmp
    Filesize

    12KB

    Download