Overview

overview

10

Static

static

1

6b57886745...10.exe

windows7-x64

10

6b57886745...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-03-2023 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b5788674568961860422191b3a23010.exe

  • Size

    283KB

  • MD5

    6b5788674568961860422191b3a23010

  • SHA1

    5ae408ce2dbf46b553a8e89db5b311ca40af3466

  • SHA256

    3358510dd07f7a0f84f6b8ff788bf5fb661c2259ebff3696c964f928a166a58c

  • SHA512

    32b11c9d8cc82f3cca441bc6d437a26113b785e2e6358fc9512701a0f04a1ea5d1640a9188a66fa6de77ae9f80f09f3c499944ee563d6f2439af0b0ee2590ce9

  • SSDEEP

    3072:IR/M5lL68U8+CTnMvkHFaMLdH2cj+l3CjixKud+fYpS9BOS1FtTxvC:+ULotlvCaMLtPaldxdIwr6tT

Score
10/10
redlinesmokeloadersystembcpub4backdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://vispik.at/tmp/

http://ekcentric.com/tmp/

http://hbeat.ru/tmp/

http://mordo.ru/tmp/
rc4.i32
rc4.i32

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 31 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b5788674568961860422191b3a23010.exe
    "C:\Users\Admin\AppData\Local\Temp\6b5788674568961860422191b3a23010.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1060
  • C:\Users\Admin\AppData\Local\Temp\D854.exe
    C:\Users\Admin\AppData\Local\Temp\D854.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3992
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1280
      2⤵
      • Program crash
      PID:1372
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3992 -ip 3992
    1⤵
      PID:5092
    • C:\Users\Admin\AppData\Local\Temp\6FC2.exe
      C:\Users\Admin\AppData\Local\Temp\6FC2.exe
      1⤵
      • Executes dropped EXE
      PID:376
    • C:\Users\Admin\AppData\Local\Temp\7FD1.exe
      C:\Users\Admin\AppData\Local\Temp\7FD1.exe
      1⤵
      • Executes dropped EXE
      PID:2748

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6FC2.exe
      Filesize

      283KB

      MD5

      eb9b9624c44ec36f6489d30e5213045b

      SHA1

      eb64885704c59350b0f2dd7a4e144a54480d6f22

      SHA256

      f4ad9b9bf522392502cb31ccdda5313f3bd41195da5ab179604a450a3239b3b7

      SHA512

      7b153daa7ab6f24017c82ab0507e194e9528e1ed632c4f3e6c25f7b29494434eb3d6a76b4aa0791be436feb906711f5f4483662ba8ec62f5cb96e8bb1df1f7d9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\6FC2.exe
      Filesize

      283KB

      MD5

      eb9b9624c44ec36f6489d30e5213045b

      SHA1

      eb64885704c59350b0f2dd7a4e144a54480d6f22

      SHA256

      f4ad9b9bf522392502cb31ccdda5313f3bd41195da5ab179604a450a3239b3b7

      SHA512

      7b153daa7ab6f24017c82ab0507e194e9528e1ed632c4f3e6c25f7b29494434eb3d6a76b4aa0791be436feb906711f5f4483662ba8ec62f5cb96e8bb1df1f7d9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7FD1.exe
      Filesize

      283KB

      MD5

      5e6634f3e902cc40d0a94c9266b42221

      SHA1

      69dd1f7e03d2c89504d6c7b288ca40f337ee60dd

      SHA256

      1edf30d94cabdd323fb90fe6882418335c731c25ec22ffe71650a749721474df

      SHA512

      f2a32b2875f9e4949136cd92d7d3d16c674f75e7cdabce4d84689b2dd5564c34f0d7c761b20df81eb18aa607c667b1643573983314f0520ab6273a00dbdc2466

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7FD1.exe
      Filesize

      283KB

      MD5

      5e6634f3e902cc40d0a94c9266b42221

      SHA1

      69dd1f7e03d2c89504d6c7b288ca40f337ee60dd

      SHA256

      1edf30d94cabdd323fb90fe6882418335c731c25ec22ffe71650a749721474df

      SHA512

      f2a32b2875f9e4949136cd92d7d3d16c674f75e7cdabce4d84689b2dd5564c34f0d7c761b20df81eb18aa607c667b1643573983314f0520ab6273a00dbdc2466

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\D854.exe
      Filesize

      378KB

      MD5

      731c639d004843f2c66fe6270b390754

      SHA1

      605c3ae537bf210fda80b2cd492827b85e30ae83

      SHA256

      5b1681d06c0bdff4730d772fdd7be80b97bdeb0c614ad6b082dcfc0565c71d61

      SHA512

      ea657767328a33bc9073ef512ce6f0b3fb5059ba4d8621c346c120f4207506dbcf7ebd9e6349e9b585daf6fc8ea876c54607a34489c1840655a6f607519f40e8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\D854.exe
      Filesize

      378KB

      MD5

      731c639d004843f2c66fe6270b390754

      SHA1

      605c3ae537bf210fda80b2cd492827b85e30ae83

      SHA256

      5b1681d06c0bdff4730d772fdd7be80b97bdeb0c614ad6b082dcfc0565c71d61

      SHA512

      ea657767328a33bc9073ef512ce6f0b3fb5059ba4d8621c346c120f4207506dbcf7ebd9e6349e9b585daf6fc8ea876c54607a34489c1840655a6f607519f40e8

      Download Submit
    • memory/376-966-0x0000000000720000-0x0000000000723000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1060-134-0x0000000000680000-0x0000000000689000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1060-136-0x0000000000400000-0x00000000004C9000-memory.dmp
      Filesize

      804KB

      Download
    • memory/2748-972-0x0000000000550000-0x0000000000553000-memory.dmp
      Filesize

      12KB

      Download
    • memory/3192-135-0x0000000000620000-0x0000000000636000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3992-187-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-199-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-155-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-157-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-159-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-161-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-163-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-165-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-167-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-169-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-171-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-173-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-175-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-177-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-179-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-181-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-183-0x0000000002A60000-0x0000000002A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3992-184-0x0000000002A60000-0x0000000002A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3992-185-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-151-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-191-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-189-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-193-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-195-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-197-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-153-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-201-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-203-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-205-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-207-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-209-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-211-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-942-0x00000000053C0000-0x00000000059D8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3992-943-0x00000000029E0000-0x00000000029F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3992-944-0x00000000059E0000-0x0000000005AEA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3992-945-0x0000000002A00000-0x0000000002A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3992-946-0x0000000002A60000-0x0000000002A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3992-947-0x0000000005D60000-0x0000000005DC6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3992-948-0x0000000006D00000-0x0000000006D92000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3992-949-0x0000000006DE0000-0x0000000006E56000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3992-950-0x0000000006EA0000-0x0000000007062000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3992-951-0x0000000007080000-0x00000000075AC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3992-952-0x00000000076D0000-0x00000000076EE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3992-954-0x0000000002A60000-0x0000000002A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3992-955-0x00000000079D0000-0x0000000007A20000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3992-150-0x00000000028F0000-0x0000000002942000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3992-149-0x0000000004E10000-0x00000000053B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3992-148-0x0000000002A60000-0x0000000002A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3992-147-0x0000000000670000-0x00000000006D2000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3992-956-0x0000000002A60000-0x0000000002A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3992-957-0x0000000002A60000-0x0000000002A70000-memory.dmp
      Filesize

      64KB

      Download