Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
03-05-2022 20:33
Static task
static1
Behavioral task
behavioral1
Sample
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe
Resource
win10-20220414-en
General
-
Target
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe
-
Size
279KB
-
MD5
feb4828a3899927cefbe713d09ce4602
-
SHA1
c45bfefa95d41f8f919f661183693fbd9f4f1571
-
SHA256
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5
-
SHA512
cbfe9a74dbb4371de2be1b04e872fb5650dfd7eabba96534f60b4519a7f9b8e7c1d5fecaa0f01583bbeafe7f4c3d862cfd6afa54b9329c4cc470f14f5bf09392
Malware Config
Extracted
smokeloader
2020
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
Extracted
redline
MARIO01_04
176.122.23.55:32478
-
auth_value
ed0902db14986ce5710c8e3a2307dc2f
Extracted
vidar
52
937
https://t.me/hollandracing
https://busshi.moe/@ronxik321
-
profile_id
937
Extracted
redline
slovarik2
185.215.113.115:39325
-
auth_value
6521f196e626a6e5adbea705ca0f48e2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1432-123-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1432-128-0x000000000041BC5E-mapping.dmp family_redline behavioral1/memory/2216-444-0x0000000002200000-0x0000000002236000-memory.dmp family_redline behavioral1/memory/2216-451-0x0000000004A30000-0x0000000004A64000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4024-145-0x0000000000530000-0x000000000067A000-memory.dmp family_vidar behavioral1/memory/4024-146-0x0000000000530000-0x00000000005DE000-memory.dmp family_vidar behavioral1/memory/4024-147-0x0000000000400000-0x00000000004A3000-memory.dmp family_vidar -
Executes dropped EXE 3 IoCs
Processes:
7A60.exe9144.exeA858.exepid process 388 7A60.exe 4024 9144.exe 2216 A858.exe -
Deletes itself 1 IoCs
Processes:
pid process 3020 -
Loads dropped DLL 2 IoCs
Processes:
9144.exepid process 4024 9144.exe 4024 9144.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7A60.exedescription pid process target process PID 388 set thread context of 1432 388 7A60.exe AppLaunch.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9144.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9144.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9144.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exepid process 1316 b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe 1316 b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3020 -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exepid process 1316 b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe 3020 3020 3020 3020 -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
AppLaunch.exeA858.exedescription pid process Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 1432 AppLaunch.exe Token: SeDebugPrivilege 2216 A858.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7A60.exedescription pid process target process PID 3020 wrote to memory of 388 3020 7A60.exe PID 3020 wrote to memory of 388 3020 7A60.exe PID 3020 wrote to memory of 388 3020 7A60.exe PID 388 wrote to memory of 1432 388 7A60.exe AppLaunch.exe PID 388 wrote to memory of 1432 388 7A60.exe AppLaunch.exe PID 388 wrote to memory of 1432 388 7A60.exe AppLaunch.exe PID 388 wrote to memory of 1432 388 7A60.exe AppLaunch.exe PID 388 wrote to memory of 1432 388 7A60.exe AppLaunch.exe PID 3020 wrote to memory of 4024 3020 9144.exe PID 3020 wrote to memory of 4024 3020 9144.exe PID 3020 wrote to memory of 4024 3020 9144.exe PID 3020 wrote to memory of 2216 3020 A858.exe PID 3020 wrote to memory of 2216 3020 A858.exe PID 3020 wrote to memory of 2216 3020 A858.exe PID 3020 wrote to memory of 3688 3020 explorer.exe PID 3020 wrote to memory of 3688 3020 explorer.exe PID 3020 wrote to memory of 3688 3020 explorer.exe PID 3020 wrote to memory of 3688 3020 explorer.exe PID 3020 wrote to memory of 1876 3020 explorer.exe PID 3020 wrote to memory of 1876 3020 explorer.exe PID 3020 wrote to memory of 1876 3020 explorer.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe"C:\Users\Admin\AppData\Local\Temp\b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7A60.exeC:\Users\Admin\AppData\Local\Temp\7A60.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9144.exeC:\Users\Admin\AppData\Local\Temp\9144.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\A858.exeC:\Users\Admin\AppData\Local\Temp\A858.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7A60.exeFilesize
1.8MB
MD54649dea8ee0c894f392cfcaf17f08bfa
SHA10a80de419c98b9e030c129b728f04a12c3e1208c
SHA2566d6933527e78c31cc8a5cdd322cd2a026c11a60cfeab58512f7fec5d6d0687ea
SHA5127fac1d4b9d1d2a1aa78676d4391aa6ecbf2cf68def5769f6774f5aa5c7a628de8ed4a48b1a603b3d5a9357f15afa7d6343e1b985229f52ada572187cdc61ec83
-
C:\Users\Admin\AppData\Local\Temp\7A60.exeFilesize
1.8MB
MD54649dea8ee0c894f392cfcaf17f08bfa
SHA10a80de419c98b9e030c129b728f04a12c3e1208c
SHA2566d6933527e78c31cc8a5cdd322cd2a026c11a60cfeab58512f7fec5d6d0687ea
SHA5127fac1d4b9d1d2a1aa78676d4391aa6ecbf2cf68def5769f6774f5aa5c7a628de8ed4a48b1a603b3d5a9357f15afa7d6343e1b985229f52ada572187cdc61ec83
-
C:\Users\Admin\AppData\Local\Temp\9144.exeFilesize
392KB
MD5091f0b3b502b52eadd71066bc0c05a9a
SHA1a22a05ece18f39934dde60b24d9bee24230aa97f
SHA256b772709904d1a0b67f6ed73bbfd1ea72ebad527ada5b00f24c4d200f49f94704
SHA512a38102527b3549a4bcc44acb8348d057e33df952dfa0a70513866df7b43b286daa952fd2e2bd3e6882ddafc3483ee3e750f586412475b75da1f6260fb7718f4f
-
C:\Users\Admin\AppData\Local\Temp\9144.exeFilesize
392KB
MD5091f0b3b502b52eadd71066bc0c05a9a
SHA1a22a05ece18f39934dde60b24d9bee24230aa97f
SHA256b772709904d1a0b67f6ed73bbfd1ea72ebad527ada5b00f24c4d200f49f94704
SHA512a38102527b3549a4bcc44acb8348d057e33df952dfa0a70513866df7b43b286daa952fd2e2bd3e6882ddafc3483ee3e750f586412475b75da1f6260fb7718f4f
-
C:\Users\Admin\AppData\Local\Temp\A858.exeFilesize
389KB
MD54ca1cf25a59fa1c58d4dab26f1e513b9
SHA13b129db016c483b20cf887f898f6ce52be1da5f5
SHA25602f1627f1a3e2f8531e2217ed28e420b717355ef15ca42bd9734b356f2bb2285
SHA5125b1f5a91a253c2f1baf2f5e3a9d55bf6d7fe16c71c7c5d97e7ce697901f2ac6e8a1ccb0e9ad0f07aa85ad8400d0460ee4a4158b88d392c354a75b7228149a012
-
C:\Users\Admin\AppData\Local\Temp\A858.exeFilesize
389KB
MD54ca1cf25a59fa1c58d4dab26f1e513b9
SHA13b129db016c483b20cf887f898f6ce52be1da5f5
SHA25602f1627f1a3e2f8531e2217ed28e420b717355ef15ca42bd9734b356f2bb2285
SHA5125b1f5a91a253c2f1baf2f5e3a9d55bf6d7fe16c71c7c5d97e7ce697901f2ac6e8a1ccb0e9ad0f07aa85ad8400d0460ee4a4158b88d392c354a75b7228149a012
-
\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/388-120-0x0000000000000000-mapping.dmp
-
memory/1316-117-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/1316-118-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1316-116-0x0000000000633000-0x0000000000644000-memory.dmpFilesize
68KB
-
memory/1432-148-0x000000000A680000-0x000000000AB7E000-memory.dmpFilesize
5.0MB
-
memory/1432-128-0x000000000041BC5E-mapping.dmp
-
memory/1432-123-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1432-135-0x0000000009690000-0x00000000096CE000-memory.dmpFilesize
248KB
-
memory/1432-134-0x0000000009740000-0x000000000984A000-memory.dmpFilesize
1.0MB
-
memory/1432-406-0x000000000B880000-0x000000000BDAC000-memory.dmpFilesize
5.2MB
-
memory/1432-136-0x00000000096D0000-0x000000000971B000-memory.dmpFilesize
300KB
-
memory/1432-132-0x0000000009B70000-0x000000000A176000-memory.dmpFilesize
6.0MB
-
memory/1432-133-0x0000000009610000-0x0000000009622000-memory.dmpFilesize
72KB
-
memory/1432-151-0x00000000099D0000-0x0000000009A46000-memory.dmpFilesize
472KB
-
memory/1432-152-0x000000000A180000-0x000000000A212000-memory.dmpFilesize
584KB
-
memory/1432-153-0x0000000009AF0000-0x0000000009B0E000-memory.dmpFilesize
120KB
-
memory/1432-154-0x000000000A600000-0x000000000A666000-memory.dmpFilesize
408KB
-
memory/1432-405-0x000000000B180000-0x000000000B342000-memory.dmpFilesize
1.8MB
-
memory/1876-505-0x0000000000000000-mapping.dmp
-
memory/2216-451-0x0000000004A30000-0x0000000004A64000-memory.dmpFilesize
208KB
-
memory/2216-411-0x0000000000000000-mapping.dmp
-
memory/2216-444-0x0000000002200000-0x0000000002236000-memory.dmpFilesize
216KB
-
memory/2216-487-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/2216-489-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2216-488-0x0000000000800000-0x000000000083A000-memory.dmpFilesize
232KB
-
memory/3020-119-0x0000000000F80000-0x0000000000F96000-memory.dmpFilesize
88KB
-
memory/3688-504-0x0000000000000000-mapping.dmp
-
memory/4024-147-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4024-146-0x0000000000530000-0x00000000005DE000-memory.dmpFilesize
696KB
-
memory/4024-145-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB
-
memory/4024-506-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/4024-141-0x0000000000000000-mapping.dmp