Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
24/03/2023, 21:29
General
-
Target
file.exe
-
Size
276KB
-
MD5
ca60a396915eb96aa8b5f7a0c5ff07f8
-
SHA1
19ca5be22c6b07418a18aa93931d41a0b11c3b9e
-
SHA256
2a05b42d2c3c8b84d7e5343ba39030b16004622607ef49a11d75249d3a8a03b8
-
SHA512
c487b8803e3eae896483075819738954c611330021ad6d9fa5b4ff8bfab380836eb7ab73edbc7ad2f24e08da170e9c11f1262305f0e6a36f5663eaf63462ca2e
-
SSDEEP
3072:oxkfN82xxRYCCd5kxUlfCDmDdZzlzxnsdJFqwWNb2oaqR0d2KWN8aeeL:Uw2cY/fCDAlzxdDJ2/qR0sKva
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
redline
koreamon
koreamonitoring.com:80
-
auth_value
1a0e1a9f491ef3df873a03577dfa10aa
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 31 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\48E0.exeC:\Users\Admin\AppData\Local\Temp\48E0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 12802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2844 -ip 28441⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD5c7d77a744ccd4ee1299450459b927866
SHA185054dc4a4b884cdfe17160eb15a20c4c1392f5a
SHA256ce4b341a6c51005e2e3b9898dd2c73af335cc9703be9c55f8dbc32da727db6e2
SHA512e4d4e50846c89fe24b543e4679cad001f6ae8025b6e1d5d0360016505bd5f6457756a2d65ce44d6f0c5dffedc5d67e2ff8edae4017e8fcdd071e637e8bd988b3
-
Filesize
382KB
MD5c7d77a744ccd4ee1299450459b927866
SHA185054dc4a4b884cdfe17160eb15a20c4c1392f5a
SHA256ce4b341a6c51005e2e3b9898dd2c73af335cc9703be9c55f8dbc32da727db6e2
SHA512e4d4e50846c89fe24b543e4679cad001f6ae8025b6e1d5d0360016505bd5f6457756a2d65ce44d6f0c5dffedc5d67e2ff8edae4017e8fcdd071e637e8bd988b3
-
Filesize
392KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
39.4MB