Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
12-03-2023 09:41
General
-
Target
43c3f3e2e28157583e7eda204b2b103f.exe
-
Size
1.5MB
-
MD5
43c3f3e2e28157583e7eda204b2b103f
-
SHA1
43939dc8d125df242075d47edd696f6276f7ecb7
-
SHA256
280474eb2d29702b7026467d357d2a34d58c08c82a264c174bce9e4bf694c19b
-
SHA512
6721ad923a1b5329addf034c8decd7d1aee3db800ef19064cfd7d077211d938aab6bb654751b6443cd19bb7a8b6896139787e9379522b3be5e8c5b492c75ef63
-
SSDEEP
12288:qP5IhyeomsP5LxH94zj9jljH0bStIswondr1fDzqJVxLsE8LX:1QYrpDzq1uL
Malware Config
Extracted
redline
CHEAT-MENU
amrican-sport-live-stream.cc:4581
-
auth_value
e948baa7e2fc2d71d02a5864e088ed36
Extracted
asyncrat
0.5.7B
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
smokeloader
MovA
Extracted
smokeloader
2022
http://glueberry-og.cc/
http://glueberry-og.co/
http://glueberry-og.to/
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect PureCrypter injector 15 IoCs
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Async RAT payload 6 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\43c3f3e2e28157583e7eda204b2b103f.exe"C:\Users\Admin\AppData\Local\Temp\43c3f3e2e28157583e7eda204b2b103f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe"C:\Users\Admin\AppData\Local\Temp\Cqkmojmubiodhyrksbaqcheat-menu - reddomain-obufcastesolution.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rucxco.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rucxco.exe"'4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rucxco.exe"C:\Users\Admin\AppData\Local\Temp\rucxco.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kxitgg.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kxitgg.exe"'4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kxitgg.exe"C:\Users\Admin\AppData\Local\Temp\kxitgg.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vbfglw.exe"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vbfglw.exe"'4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\vbfglw.exe"C:\Users\Admin\AppData\Local\Temp\vbfglw.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vunxxe.exe"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vunxxe.exe"'4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\vunxxe.exe"C:\Users\Admin\AppData\Local\Temp\vunxxe.exe"5⤵
- Executes dropped EXE
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
336KB
MD59d590398fb10eea18dd2b45b32986999
SHA14d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3
SHA256826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9
SHA512dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6
-
Filesize
336KB
MD59d590398fb10eea18dd2b45b32986999
SHA14d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3
SHA256826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9
SHA512dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
Filesize
1.3MB
MD57bf2898f75b3974d2c53999f8d3f40fb
SHA1c406aeef85ed1ce026b98b858af4be62da421119
SHA256c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA51220ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676
-
Filesize
1.3MB
MD57bf2898f75b3974d2c53999f8d3f40fb
SHA1c406aeef85ed1ce026b98b858af4be62da421119
SHA256c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA51220ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676
-
Filesize
828KB
MD5494969d84ee004227da4051403cbc098
SHA1befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676
-
Filesize
828KB
MD5494969d84ee004227da4051403cbc098
SHA1befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676
-
Filesize
2.3MB
MD5a08e5952ddaaabe4b7deaf30e3e522d3
SHA1d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA25652e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA5122f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea
-
Filesize
2.3MB
MD5a08e5952ddaaabe4b7deaf30e3e522d3
SHA1d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA25652e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA5122f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea
-
Filesize
5.8MB
MD5a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1a5de59863fb4acc05a9253562172f802420ed21b
SHA2562c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2
-
Filesize
5.8MB
MD5a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1a5de59863fb4acc05a9253562172f802420ed21b
SHA2562c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2
-
Filesize
7KB
MD5365c02f31da37d4552549efff7904cde
SHA1aa3b0fb496abd7109d3e3535db58b06ff068291a
SHA25629542133cefc3f8ef5627fa9781656d9fa42713c6d7740d6e698e9a6d23be39e
SHA5127a08ccffbfd995a460e4a9b29e1253b6dbbd9156e3f4f64d68a3935a74dfd67ae216b70d7276dbbbecd80c86ea7b2441df99fede21307278b30cd21400a82c24
-
Filesize
7KB
MD5365c02f31da37d4552549efff7904cde
SHA1aa3b0fb496abd7109d3e3535db58b06ff068291a
SHA25629542133cefc3f8ef5627fa9781656d9fa42713c6d7740d6e698e9a6d23be39e
SHA5127a08ccffbfd995a460e4a9b29e1253b6dbbd9156e3f4f64d68a3935a74dfd67ae216b70d7276dbbbecd80c86ea7b2441df99fede21307278b30cd21400a82c24
-
Filesize
7KB
MD5365c02f31da37d4552549efff7904cde
SHA1aa3b0fb496abd7109d3e3535db58b06ff068291a
SHA25629542133cefc3f8ef5627fa9781656d9fa42713c6d7740d6e698e9a6d23be39e
SHA5127a08ccffbfd995a460e4a9b29e1253b6dbbd9156e3f4f64d68a3935a74dfd67ae216b70d7276dbbbecd80c86ea7b2441df99fede21307278b30cd21400a82c24
-
Filesize
7KB
MD5365c02f31da37d4552549efff7904cde
SHA1aa3b0fb496abd7109d3e3535db58b06ff068291a
SHA25629542133cefc3f8ef5627fa9781656d9fa42713c6d7740d6e698e9a6d23be39e
SHA5127a08ccffbfd995a460e4a9b29e1253b6dbbd9156e3f4f64d68a3935a74dfd67ae216b70d7276dbbbecd80c86ea7b2441df99fede21307278b30cd21400a82c24
-
Filesize
7KB
MD5365c02f31da37d4552549efff7904cde
SHA1aa3b0fb496abd7109d3e3535db58b06ff068291a
SHA25629542133cefc3f8ef5627fa9781656d9fa42713c6d7740d6e698e9a6d23be39e
SHA5127a08ccffbfd995a460e4a9b29e1253b6dbbd9156e3f4f64d68a3935a74dfd67ae216b70d7276dbbbecd80c86ea7b2441df99fede21307278b30cd21400a82c24
-
Filesize
7KB
MD5365c02f31da37d4552549efff7904cde
SHA1aa3b0fb496abd7109d3e3535db58b06ff068291a
SHA25629542133cefc3f8ef5627fa9781656d9fa42713c6d7740d6e698e9a6d23be39e
SHA5127a08ccffbfd995a460e4a9b29e1253b6dbbd9156e3f4f64d68a3935a74dfd67ae216b70d7276dbbbecd80c86ea7b2441df99fede21307278b30cd21400a82c24
-
Filesize
336KB
MD59d590398fb10eea18dd2b45b32986999
SHA14d1d64c39c85727b99b2691b0c8bf5d9b73cc7a3
SHA256826fb39eac32cf410fd29af272106d3196eb651c638e8e0409c07713bc6d85b9
SHA512dad505a8d87925499b99bfb025203f5724a368b4f43b012dcf6a587f9810ae68e3cc8b7d9d3f1b80466bb31dbde5d92d7ce7ced9d8f438145a0f9d3ba254d6d6
-
Filesize
1.3MB
MD57bf2898f75b3974d2c53999f8d3f40fb
SHA1c406aeef85ed1ce026b98b858af4be62da421119
SHA256c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA51220ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676
-
Filesize
828KB
MD5494969d84ee004227da4051403cbc098
SHA1befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676
-
Filesize
2.3MB
MD5a08e5952ddaaabe4b7deaf30e3e522d3
SHA1d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA25652e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA5122f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea
-
Filesize
5.8MB
MD5a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1a5de59863fb4acc05a9253562172f802420ed21b
SHA2562c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2
-
Filesize
360KB
-
Filesize
256KB
-
Filesize
24KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
4KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
256KB
-
Filesize
792KB
-
Filesize
176KB
-
Filesize
1.5MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
256KB
-
Filesize
48KB
-
Filesize
256KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
512KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
512KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
5.9MB
-
Filesize
7.0MB
-
Filesize
584KB
-
Filesize
840KB
-
Filesize
512KB
-
Filesize
784KB
-
Filesize
672KB
-
Filesize
2.3MB
-
Filesize
256KB
-
Filesize
584KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
72KB
-
Filesize
680KB
-
Filesize
1.3MB
-
Filesize
256KB
-
Filesize
256KB