Resubmissions
17-10-2022 14:19
221017-rm5emacaf4 1017-10-2022 14:09
221017-rf8tgacbgp 1015-10-2022 16:38
221015-t5dezafggp 10Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-10-2022 16:38
General
-
Target
e41ad88438135bf0b2189701de819be1.exe
-
Size
213KB
-
MD5
e41ad88438135bf0b2189701de819be1
-
SHA1
95de6449d3b39f8e5024456909c867db18f8a72b
-
SHA256
cd3a2b42f2d770f1f870b2e3be9d0a5262b8038d65e6f95a1e63bed333150db5
-
SHA512
3cee47029aa2fde04e16f964a5d0c661a623bf6a3a954f30d90ead3859ae4d02c997184d929ba66712b67731cdd17cd664f620ca16241ac04c58e16aea500515
-
SSDEEP
3072:yXp4AqLOlFA/gtXw4Q5VgHnk9pIZ/cs95SSYPmEpZ0KPDUX56o:ycLOlFPwtgHk9pIpLSSsZ0bo
Malware Config
Extracted
redline
535
45.15.156.26:2794
-
auth_value
e7680eed1ef96d61de0f4c54c7c5a594
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e41ad88438135bf0b2189701de819be1.exe"C:\Users\Admin\AppData\Local\Temp\e41ad88438135bf0b2189701de819be1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1D3C.exeC:\Users\Admin\AppData\Local\Temp\1D3C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1F31.exeC:\Users\Admin\AppData\Local\Temp\1F31.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\29F0.exeC:\Users\Admin\AppData\Local\Temp\29F0.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\321F.exeC:\Users\Admin\AppData\Local\Temp\321F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\36D3.exeC:\Users\Admin\AppData\Local\Temp\36D3.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 12722⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\5F6B.exeC:\Users\Admin\AppData\Local\Temp\5F6B.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\5F6B.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\624A.exeC:\Users\Admin\AppData\Local\Temp\624A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4068 -ip 40681⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\hihsiirC:\Users\Admin\AppData\Roaming\hihsiir1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD593773c9cab9b15bd9238aebfe36712bf
SHA15d8878372c87b08a64298db91c884645ccf28443
SHA256b88c64f57a70f95f35fbe30ab3614608f34a2b9a6121c055d5da0358e24b6890
SHA51278d6ba07ae1e3cad90cc199f41f7d71fd2b69f2d844e7a0a6579509d48634b486165df657cb837eba3dc650612c3c71f4b1f808139d8dc85988a848381c70d87
-
Filesize
419KB
MD593773c9cab9b15bd9238aebfe36712bf
SHA15d8878372c87b08a64298db91c884645ccf28443
SHA256b88c64f57a70f95f35fbe30ab3614608f34a2b9a6121c055d5da0358e24b6890
SHA51278d6ba07ae1e3cad90cc199f41f7d71fd2b69f2d844e7a0a6579509d48634b486165df657cb837eba3dc650612c3c71f4b1f808139d8dc85988a848381c70d87
-
Filesize
356KB
MD570682f6421f864560af22030f9592d6e
SHA1873c3d4e7237813b74d20f6f598d422c08e536ab
SHA256acb8a59668d365181ce19a1fdd19aa992d86a9797f148e408daf5c7e9fa62bd3
SHA51227a576447278c55fdee54cdd3e38098774bcabba6f007d494966104572951f11b3984f314cdb1a833e8a69280d1a500a089ba5660f0f4a3a32fef575aba0c5a5
-
Filesize
356KB
MD570682f6421f864560af22030f9592d6e
SHA1873c3d4e7237813b74d20f6f598d422c08e536ab
SHA256acb8a59668d365181ce19a1fdd19aa992d86a9797f148e408daf5c7e9fa62bd3
SHA51227a576447278c55fdee54cdd3e38098774bcabba6f007d494966104572951f11b3984f314cdb1a833e8a69280d1a500a089ba5660f0f4a3a32fef575aba0c5a5
-
Filesize
356KB
MD534c6dc517df5134a240359e7e5bcaa1a
SHA15b933fa9f7634bc9813d5332b0e65e3276ef7148
SHA256d1a868c3491d26107fb5f7019b54b1ebd467294091c9675198e2fcf805a3c28e
SHA512101e18032ef5634bba987e9d33b2cc1c5f91db0db2beada259dde3367ee363924471f71a4a4cf985255b41995761927910bea0a8a0e790ef978bfbcfe8d7e7fa
-
Filesize
356KB
MD534c6dc517df5134a240359e7e5bcaa1a
SHA15b933fa9f7634bc9813d5332b0e65e3276ef7148
SHA256d1a868c3491d26107fb5f7019b54b1ebd467294091c9675198e2fcf805a3c28e
SHA512101e18032ef5634bba987e9d33b2cc1c5f91db0db2beada259dde3367ee363924471f71a4a4cf985255b41995761927910bea0a8a0e790ef978bfbcfe8d7e7fa
-
Filesize
720KB
MD56a4b0bf0bd9f496ee1398e702dcb25e1
SHA1bb020b724fc67dc818ae7a2f354fb268ed42f706
SHA2560103856c001d654207c4496b55b06921f5ed3818450a624464c5062b7668abb5
SHA512c09b4adf6f8fbb3718ec18aefba052e52179594ecfc6b08daede38815c03fa8ed3ca3b8de0fb4ec9acafb10f40ae835ba7f364e1c5876ae18aaf6291b444f4e2
-
Filesize
720KB
MD56a4b0bf0bd9f496ee1398e702dcb25e1
SHA1bb020b724fc67dc818ae7a2f354fb268ed42f706
SHA2560103856c001d654207c4496b55b06921f5ed3818450a624464c5062b7668abb5
SHA512c09b4adf6f8fbb3718ec18aefba052e52179594ecfc6b08daede38815c03fa8ed3ca3b8de0fb4ec9acafb10f40ae835ba7f364e1c5876ae18aaf6291b444f4e2
-
Filesize
447KB
MD589352e8c08c9fd0f48a76822f3f5a3b3
SHA13b1421963698640a76fb0677694f65afe1c75bc1
SHA2564b7f5a3df8170c4ea12a0ff058abb3cab8978063f551f32174ec63fa0d39071d
SHA51260c111082b26bdd38a401b3b283f63044312d73b14acc95dca474f9eeeca7bac9179d2ddff9f4172d1c5669ca2c8148c3b144bfebf9b8505aa7aeadbb1586db3
-
Filesize
447KB
MD589352e8c08c9fd0f48a76822f3f5a3b3
SHA13b1421963698640a76fb0677694f65afe1c75bc1
SHA2564b7f5a3df8170c4ea12a0ff058abb3cab8978063f551f32174ec63fa0d39071d
SHA51260c111082b26bdd38a401b3b283f63044312d73b14acc95dca474f9eeeca7bac9179d2ddff9f4172d1c5669ca2c8148c3b144bfebf9b8505aa7aeadbb1586db3
-
Filesize
7.5MB
MD5ee50fb38cb90b613a8c063626d3df2ca
SHA1f7d42c03a71d17cdfb93f820dd2147be009fa01e
SHA256db098d7fd521ad0112db04626fa4785005a4920521fa31a1e7c8afaf6bed841c
SHA51210e17199b14a40fcdb3a3fe2e5601fc5378c5f85019549911efd3b7679e067edf179c3798d852eda611171a9384845cddeb4df2c6ec395b7ea24555a39bb43d9
-
Filesize
7.5MB
MD5ee50fb38cb90b613a8c063626d3df2ca
SHA1f7d42c03a71d17cdfb93f820dd2147be009fa01e
SHA256db098d7fd521ad0112db04626fa4785005a4920521fa31a1e7c8afaf6bed841c
SHA51210e17199b14a40fcdb3a3fe2e5601fc5378c5f85019549911efd3b7679e067edf179c3798d852eda611171a9384845cddeb4df2c6ec395b7ea24555a39bb43d9
-
Filesize
331KB
MD5ded4b97cc13c25949a138fa987aee2c5
SHA10e19d5ad75ba8bbc0220c1807babcb1f0ee0206b
SHA2566fff178fd8292b0ebc310be78ce7f93e9ed29c2f0ef898648bd7765a67471aa6
SHA512fc81b97350d8455e4d1b012edf1aa230b2eae871713f18c37c62530efaa43d2ae9cae2693b07146b9c944522800f9d9a49ba2ff6b84e7d2d873803d5e0950345
-
Filesize
331KB
MD5ded4b97cc13c25949a138fa987aee2c5
SHA10e19d5ad75ba8bbc0220c1807babcb1f0ee0206b
SHA2566fff178fd8292b0ebc310be78ce7f93e9ed29c2f0ef898648bd7765a67471aa6
SHA512fc81b97350d8455e4d1b012edf1aa230b2eae871713f18c37c62530efaa43d2ae9cae2693b07146b9c944522800f9d9a49ba2ff6b84e7d2d873803d5e0950345
-
Filesize
213KB
MD5e41ad88438135bf0b2189701de819be1
SHA195de6449d3b39f8e5024456909c867db18f8a72b
SHA256cd3a2b42f2d770f1f870b2e3be9d0a5262b8038d65e6f95a1e63bed333150db5
SHA5123cee47029aa2fde04e16f964a5d0c661a623bf6a3a954f30d90ead3859ae4d02c997184d929ba66712b67731cdd17cd664f620ca16241ac04c58e16aea500515
-
Filesize
213KB
MD5e41ad88438135bf0b2189701de819be1
SHA195de6449d3b39f8e5024456909c867db18f8a72b
SHA256cd3a2b42f2d770f1f870b2e3be9d0a5262b8038d65e6f95a1e63bed333150db5
SHA5123cee47029aa2fde04e16f964a5d0c661a623bf6a3a954f30d90ead3859ae4d02c997184d929ba66712b67731cdd17cd664f620ca16241ac04c58e16aea500515
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
216KB
-
Filesize
36KB
-
Filesize
232KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
232KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
232KB
-
Filesize
64KB
-
Filesize
232KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
468KB
-
Filesize
356KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
320KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
6.1MB
-
Filesize
5.2MB
-
Filesize
5.6MB
-
Filesize
468KB
-
Filesize
352KB