Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    249KB

  • MD5

    88976fa95d5f638343755c86067550b6

  • SHA1

    9d83f005173bd672087d2bd2be9a9533fa97ce75

  • SHA256

    fa2c8289fb1a7c26774c74f39391df7a68c06f7b2e1aba9f722d8b30fcc5be97

  • SHA512

    0e28cf7e3d8fa981bce1faf422a3f3eb6bd4313540236d50e8b0453bec5d976fa08c1fb5248789bbd2e2174de3d2f3d1c5f32248c3cccb7c4ff84c1b141fbed4

  • SSDEEP

    3072:/DqCDXwLvmHW2oUb1rml9dhYx06u7SaM8HTKtzWvl53brYsejg:LDXwLvPLgRmDspWSaHFvYsd

Score
10/10
redlinesmokeloaderfronx2pub4backdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

fronx2

C2

fronxtracking.com:80

Attributes
  • auth_value

    0a4100df2644a6a6582137d2da2c8bd1

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 31 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4912
  • C:\Users\Admin\AppData\Local\Temp\13D6.exe
    C:\Users\Admin\AppData\Local\Temp\13D6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1152
      2⤵
      • Program crash
      PID:2052
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3316 -ip 3316
    1⤵
      PID:4704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\13D6.exe
      Filesize

      354KB

      MD5

      b8f935276b721ea19e925fd41efdc785

      SHA1

      def911110b52420750d7d40db002e0f0124a9aca

      SHA256

      5e945b4cd11a165337140d4772765268790943d2a7e7db8c58f0fa671e6c8226

      SHA512

      6cf70cba572b10b87a47f3cb79cc22cbf3eab0e309badd9435c24f6c0a419e6f4d2ef09816338bba0f842015a793200d0841c192d3680106beff323e40b26eda

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\13D6.exe
      Filesize

      354KB

      MD5

      b8f935276b721ea19e925fd41efdc785

      SHA1

      def911110b52420750d7d40db002e0f0124a9aca

      SHA256

      5e945b4cd11a165337140d4772765268790943d2a7e7db8c58f0fa671e6c8226

      SHA512

      6cf70cba572b10b87a47f3cb79cc22cbf3eab0e309badd9435c24f6c0a419e6f4d2ef09816338bba0f842015a793200d0841c192d3680106beff323e40b26eda

      Download Submit

    • memory/3236-135-0x0000000000390000-0x00000000003A6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3316-148-0x0000000002520000-0x0000000002582000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3316-149-0x0000000004F50000-0x0000000004F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-150-0x0000000004F60000-0x0000000005504000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3316-151-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-154-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-152-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-156-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-158-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-160-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-162-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-164-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-166-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-168-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-170-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-172-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-175-0x0000000004F50000-0x0000000004F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-174-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-177-0x0000000004F50000-0x0000000004F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-178-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-180-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-182-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-184-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-186-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-188-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-190-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-192-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-194-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-196-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-198-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-200-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-202-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-204-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-206-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-208-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-210-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-212-0x0000000005520000-0x0000000005572000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3316-943-0x00000000055A0000-0x0000000005BB8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3316-944-0x0000000005C60000-0x0000000005C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3316-945-0x0000000005C80000-0x0000000005D8A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3316-946-0x0000000005D90000-0x0000000005DCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3316-947-0x0000000004F50000-0x0000000004F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-948-0x00000000060B0000-0x0000000006116000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3316-949-0x0000000007060000-0x00000000070F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3316-950-0x0000000007120000-0x0000000007196000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3316-951-0x00000000071F0000-0x00000000073B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3316-952-0x00000000073D0000-0x00000000078FC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3316-953-0x0000000007A20000-0x0000000007A3E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3316-954-0x0000000007D20000-0x0000000007D70000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3316-956-0x0000000004F50000-0x0000000004F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3316-957-0x0000000004F50000-0x0000000004F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4912-134-0x00000000008F0000-0x00000000008F9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4912-136-0x0000000000400000-0x0000000000826000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/4912-139-0x00000000008F0000-0x00000000008F9000-memory.dmp

      Filesize

      36KB

      Download