Overview

overview

10

Static

static

1

b87577df85...39.exe

windows7-x64

10

b87577df85...39.exe

windows10-2004-x64

10

Resubmissions

09-10-2023 22:51

231009-2szrfaba44 10

05-04-2023 09:55

230405-lx64bada28 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2023 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b87577df851960649e52cebb4796bd489ab28293f708d1a404b0cc06f16aad39.exe

  • Size

    258KB

  • MD5

    11ad8bdbbdfee754a25adcc84624f7b3

  • SHA1

    08c0a461cda758d3b18f072321d9642841602662

  • SHA256

    b87577df851960649e52cebb4796bd489ab28293f708d1a404b0cc06f16aad39

  • SHA512

    f981089b29634d9d87c8362c045d38388da90fac0b85314c63a6b94dad0ade955a1482e35c5a46c0e8fd335bf91709c40ee3754eb0a7598486e3f7124ed2a3de

  • SSDEEP

    3072:/hxLhKAJQzyLylplF++o2n8zWWOhBhG5BqBHNET1B+s5xLvjf:jyzyLKlD8zHgPBw1n/

Score
10/10
bumblebeerhadamanthyssmokeloaderinstpub4backdoorcollectionstealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32

Extracted

Family

bumblebee

Botnet

inst

C2

194.15.216.247:443

23.106.215.141:443

104.168.244.96:443

51.83.255.85:443

192.119.81.86:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Detect rhadamanthys stealer shellcode 4 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b87577df851960649e52cebb4796bd489ab28293f708d1a404b0cc06f16aad39.exe
    "C:\Users\Admin\AppData\Local\Temp\b87577df851960649e52cebb4796bd489ab28293f708d1a404b0cc06f16aad39.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4704
  • C:\Users\Admin\AppData\Local\Temp\6C56.exe
    C:\Users\Admin\AppData\Local\Temp\6C56.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Windows\system32\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • outlook_office_path
      • outlook_win_path
      PID:696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 732
      2⤵
      • Program crash
      PID:1924
  • C:\Users\Admin\AppData\Local\Temp\BF88.exe
    C:\Users\Admin\AppData\Local\Temp\BF88.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtCreateThreadExHideFromDebugger
    PID:4952
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 976 -ip 976
    1⤵
      PID:5112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6C56.exe
      Filesize

      272KB

      MD5

      91fcc079b33d90c504df8d935b46e8e5

      SHA1

      d45849d356f6121e5ef1a3f13add2ab1ae7f81e2

      SHA256

      8e05fe5a2271126b27ee3a7c2a6aa9e5e7e009efa4acfc29a688e3c2873110bb

      SHA512

      e27533ee6639f22b0e349d43e98365ff4425e69eca6482b66a2a5d3138ffa8111fdfa92ac1e9c103927b0b69a022507c55fe04f31584908f909ec944db4e762d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6C56.exe
      Filesize

      272KB

      MD5

      91fcc079b33d90c504df8d935b46e8e5

      SHA1

      d45849d356f6121e5ef1a3f13add2ab1ae7f81e2

      SHA256

      8e05fe5a2271126b27ee3a7c2a6aa9e5e7e009efa4acfc29a688e3c2873110bb

      SHA512

      e27533ee6639f22b0e349d43e98365ff4425e69eca6482b66a2a5d3138ffa8111fdfa92ac1e9c103927b0b69a022507c55fe04f31584908f909ec944db4e762d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BF88.exe
      Filesize

      1.6MB

      MD5

      1eb4bd24c3d02a38a333eaeee4b9b49d

      SHA1

      3c85c03088b07bfcbbe969af0cbdde9bd26e69d8

      SHA256

      35f2ec59313bbe5b78e4b043f06f8961f6f3e77b870544d15ee7cc1fca987d8c

      SHA512

      3581aa74972f21bf22191181a9db68ec6db1071b153ee4a40519129b34c6be3cdbe32e3a65d4ad64f20bd224fb2d2f91e72139b250b69a0c80456f80a3c2cff5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BF88.exe
      Filesize

      1.6MB

      MD5

      1eb4bd24c3d02a38a333eaeee4b9b49d

      SHA1

      3c85c03088b07bfcbbe969af0cbdde9bd26e69d8

      SHA256

      35f2ec59313bbe5b78e4b043f06f8961f6f3e77b870544d15ee7cc1fca987d8c

      SHA512

      3581aa74972f21bf22191181a9db68ec6db1071b153ee4a40519129b34c6be3cdbe32e3a65d4ad64f20bd224fb2d2f91e72139b250b69a0c80456f80a3c2cff5

      Download Submit

    • memory/696-173-0x00007FF4F5750000-0x00007FF4F584A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/696-172-0x00007FF4F5750000-0x00007FF4F584A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/696-171-0x00007FF4F5750000-0x00007FF4F584A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/696-170-0x00007FF4F5750000-0x00007FF4F584A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/696-167-0x00007FF4F5750000-0x00007FF4F584A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/696-166-0x00007FF4F5750000-0x00007FF4F584A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/696-165-0x0000024917320000-0x0000024917327000-memory.dmp

      Filesize

      28KB

      Download

    • memory/696-161-0x0000024917010000-0x0000024917011000-memory.dmp

      Filesize

      4KB

      Download

    • memory/976-150-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/976-164-0x00000000005C0000-0x00000000005C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/976-147-0x0000000000550000-0x000000000057E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/976-148-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/976-153-0x0000000000580000-0x000000000059C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/976-169-0x0000000000580000-0x000000000059C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/976-151-0x0000000000580000-0x000000000059C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/976-158-0x0000000000580000-0x000000000059C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/976-152-0x0000000000530000-0x0000000000532000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3260-135-0x0000000002B40000-0x0000000002B56000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4704-134-0x0000000000780000-0x0000000000789000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4704-136-0x0000000000400000-0x0000000000703000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4952-163-0x00000187ED7B0000-0x00000187ED842000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4952-162-0x00000187ED9B0000-0x00000187EDB11000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4952-160-0x00000187ED9B0000-0x00000187EDB11000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4952-159-0x00000187ED9B0000-0x00000187EDB11000-memory.dmp

      Filesize

      1.4MB

      Download