Analysis
-
max time kernel
189s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
07-12-2022 02:55
General
-
Target
b38836c2ca840a569bee2b3fb196b8bbf895848c91b4970ea661b1bd879ae9f2.exe
-
Size
382KB
-
MD5
4b3b3660d4aaac2ae95a48473fd6625e
-
SHA1
3e37934207617ea2af6a09cf0e47f831331d8c9c
-
SHA256
b38836c2ca840a569bee2b3fb196b8bbf895848c91b4970ea661b1bd879ae9f2
-
SHA512
b2cd9ee1754242ce5b0cfcb156eecd779df5935afafec0129ef45b253c50e7180e7ab3da381b51e167f62057017eac89a3ee128fce108c6cb069852786ab2d01
-
SSDEEP
6144:XWUMLgc83mCFuCcflf6HW2ccG3c9WcoBlC4saVe:XM8c83HPQp6HW2nGxcWCZ3
Malware Config
Extracted
redline
YT
65.21.5.58:48811
-
auth_value
fb878dde7f3b4ad1e1bc26d24db36d28
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b38836c2ca840a569bee2b3fb196b8bbf895848c91b4970ea661b1bd879ae9f2.exe"C:\Users\Admin\AppData\Local\Temp\b38836c2ca840a569bee2b3fb196b8bbf895848c91b4970ea661b1bd879ae9f2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\FF1C.exeC:\Users\Admin\AppData\Local\Temp\FF1C.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\F1.exeC:\Users\Admin\AppData\Local\Temp\F1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1277.exeC:\Users\Admin\AppData\Local\Temp\1277.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1277.exeFilesize
922KB
MD50cec15477b0a89e89f78961fdd2f56b8
SHA148701957b74b12cfb521c8881ec9beac78f8866d
SHA25603de8297c43f7161e56416e5f7180bee53b5234f5c4f757cb0084b9603057351
SHA5121c8162b29d77035c23148cad569162f739ddc0c501fbf9dbc7cb06ffeaa7eb69d3f505aee167700eeba65fa6cab62ce92e3270b6d694f6f07192d8d3819ec595
-
C:\Users\Admin\AppData\Local\Temp\1277.exeFilesize
922KB
MD50cec15477b0a89e89f78961fdd2f56b8
SHA148701957b74b12cfb521c8881ec9beac78f8866d
SHA25603de8297c43f7161e56416e5f7180bee53b5234f5c4f757cb0084b9603057351
SHA5121c8162b29d77035c23148cad569162f739ddc0c501fbf9dbc7cb06ffeaa7eb69d3f505aee167700eeba65fa6cab62ce92e3270b6d694f6f07192d8d3819ec595
-
C:\Users\Admin\AppData\Local\Temp\F1.exeFilesize
510KB
MD52c7867a1749edef10274f3e34b047865
SHA1c2009f052e54f3c788e1872e7ac6f4d5fea218f9
SHA2568845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7
SHA51260b503650f7f4ca7d14cfa7dabc1cda68eee8f0e34800fb160f44b3af9135bf27b15c57e26f19301baa1eb4eb6a6191cfa70d8ca28361db71969f7c0c3435e68
-
C:\Users\Admin\AppData\Local\Temp\F1.exeFilesize
510KB
MD52c7867a1749edef10274f3e34b047865
SHA1c2009f052e54f3c788e1872e7ac6f4d5fea218f9
SHA2568845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7
SHA51260b503650f7f4ca7d14cfa7dabc1cda68eee8f0e34800fb160f44b3af9135bf27b15c57e26f19301baa1eb4eb6a6191cfa70d8ca28361db71969f7c0c3435e68
-
C:\Users\Admin\AppData\Local\Temp\FF1C.exeFilesize
1.5MB
MD5d1964c1b30d01262eccaee06c600d726
SHA1e213ef1a963cc1825b9183742bb2af555da72efe
SHA25606ece311c226daf62863e5791def4efee02dacfeacc6b7635095d0a63b715a99
SHA51202d5f5d71ef785dbc9a2c7bf960d60a19a7eeba3ae8227442c21ba153fc2443e0d1e5ec8319e70a55defcb1057f43d4f41602ba2089a64615dc3aaa8569d47a5
-
C:\Users\Admin\AppData\Local\Temp\FF1C.exeFilesize
1.5MB
MD5d1964c1b30d01262eccaee06c600d726
SHA1e213ef1a963cc1825b9183742bb2af555da72efe
SHA25606ece311c226daf62863e5791def4efee02dacfeacc6b7635095d0a63b715a99
SHA51202d5f5d71ef785dbc9a2c7bf960d60a19a7eeba3ae8227442c21ba153fc2443e0d1e5ec8319e70a55defcb1057f43d4f41602ba2089a64615dc3aaa8569d47a5
-
memory/364-164-0x00000000012D0000-0x00000000012F7000-memory.dmpFilesize
156KB
-
memory/364-180-0x0000000001300000-0x0000000001322000-memory.dmpFilesize
136KB
-
memory/364-163-0x0000000001300000-0x0000000001322000-memory.dmpFilesize
136KB
-
memory/364-162-0x0000000000000000-mapping.dmp
-
memory/592-178-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/592-157-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/592-158-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/592-156-0x0000000000000000-mapping.dmp
-
memory/1452-183-0x0000000000170000-0x00000000001A2000-memory.dmpFilesize
200KB
-
memory/1452-182-0x0000000000000000-mapping.dmp
-
memory/1532-153-0x00000000007C0000-0x00000000007CB000-memory.dmpFilesize
44KB
-
memory/1532-176-0x00000000007D0000-0x00000000007D7000-memory.dmpFilesize
28KB
-
memory/1532-150-0x0000000000000000-mapping.dmp
-
memory/1532-152-0x00000000007D0000-0x00000000007D7000-memory.dmpFilesize
28KB
-
memory/2168-160-0x00000000009F0000-0x00000000009F6000-memory.dmpFilesize
24KB
-
memory/2168-179-0x00000000009F0000-0x00000000009F6000-memory.dmpFilesize
24KB
-
memory/2168-161-0x00000000009E0000-0x00000000009EC000-memory.dmpFilesize
48KB
-
memory/2168-159-0x0000000000000000-mapping.dmp
-
memory/2408-167-0x0000000000A20000-0x0000000000A29000-memory.dmpFilesize
36KB
-
memory/2408-166-0x0000000000EB0000-0x0000000000EB5000-memory.dmpFilesize
20KB
-
memory/2408-165-0x0000000000000000-mapping.dmp
-
memory/2644-177-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/2644-154-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/2644-151-0x0000000000000000-mapping.dmp
-
memory/2644-155-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/3048-168-0x0000000000000000-mapping.dmp
-
memory/3048-189-0x0000000000F80000-0x0000000000F86000-memory.dmpFilesize
24KB
-
memory/3048-191-0x0000000000F70000-0x0000000000F7B000-memory.dmpFilesize
44KB
-
memory/3132-140-0x0000000000000000-mapping.dmp
-
memory/3392-181-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/3392-169-0x0000000000000000-mapping.dmp
-
memory/3392-170-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/3392-171-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/4664-172-0x0000000000000000-mapping.dmp
-
memory/4664-190-0x0000000000F70000-0x0000000000F7B000-memory.dmpFilesize
44KB
-
memory/4664-188-0x0000000000F80000-0x0000000000F88000-memory.dmpFilesize
32KB
-
memory/4896-147-0x0000000000000000-mapping.dmp
-
memory/4928-135-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4928-133-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/4928-132-0x00000000006D6000-0x00000000006EC000-memory.dmpFilesize
88KB
-
memory/4928-134-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4964-145-0x00007FFECF5D0000-0x00007FFECF7C5000-memory.dmpFilesize
2.0MB
-
memory/4964-139-0x0000000000CD0000-0x00000000011D0000-memory.dmpFilesize
5.0MB
-
memory/4964-136-0x0000000000000000-mapping.dmp
-
memory/4964-144-0x0000000000CD0000-0x00000000011D0000-memory.dmpFilesize
5.0MB
-
memory/4964-173-0x0000000000CD0000-0x00000000011D0000-memory.dmpFilesize
5.0MB
-
memory/4964-146-0x00007FFEB0540000-0x00007FFEB1001000-memory.dmpFilesize
10.8MB
-
memory/4964-175-0x00007FFEB0540000-0x00007FFEB1001000-memory.dmpFilesize
10.8MB
-
memory/4964-174-0x00007FFECF5D0000-0x00007FFECF7C5000-memory.dmpFilesize
2.0MB