Analysis
-
max time kernel
81s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
16-07-2023 07:24
General
-
Target
d1c1436fcbdfc15595d95287aa8ca3d69f277a1677000fa30bbb519e4d305a38.exe
-
Size
253KB
-
MD5
d5b47e416d7a06febe582f4b00b65367
-
SHA1
ea205f12d9fdf13b884f22454de514496a0b3865
-
SHA256
d1c1436fcbdfc15595d95287aa8ca3d69f277a1677000fa30bbb519e4d305a38
-
SHA512
0ac7a9bec2d49457ba1f7d4c6de74ff41ce9132fc2cb141a713e23cdb5e4ab1a8e0a96ac27adaa8911e1ee08829bff4f4f541fb954f187ed2717e476377f1565
-
SSDEEP
3072:vKLEBiLgtH0uX2ETlYKfRpjojDPyucx5CKAwlg:iLE3NX2iSTfKucWKA
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
redline
cc
94.228.169.160:43800
-
auth_value
ec4d19a9dd758ace38b4f5b4a447b048
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 14 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1c1436fcbdfc15595d95287aa8ca3d69f277a1677000fa30bbb519e4d305a38.exe"C:\Users\Admin\AppData\Local\Temp\d1c1436fcbdfc15595d95287aa8ca3d69f277a1677000fa30bbb519e4d305a38.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7CB.exeC:\Users\Admin\AppData\Local\Temp\7CB.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\D4A.exeC:\Users\Admin\AppData\Local\Temp\D4A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1692.exeC:\Users\Admin\AppData\Local\Temp\1692.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 3642⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\1E63.exeC:\Users\Admin\AppData\Local\Temp\1E63.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
586.7MB
MD56aa415dd8a87f40c9d308601ad50f2a1
SHA1d338f4206846ad0d82b9c173dec718972d489953
SHA256bbdc55f9a97719ae6682db0b43acc03fc7e7cfa504ba634f3bfd6a530e532392
SHA512e120f65a7ea1042a09b1284d2f336fd65ced3a37c36249c82cfa3414b7da1645756c27844e1fe865adae46b3581205645e810fc214d556cba372c0366dfe31f8
-
Filesize
605.3MB
MD59723f38e9f32911d903b622b6968b523
SHA10f6e9b67e2b0eb54a4c227c6b43c989cb5b5564a
SHA2566b6d710d82a99fe3b90891a02c276b05640cf4400823ee6f7fa6a6426363a554
SHA51289fc201e23cd70b101e49759d2b1347e5ce33568a98dadd9c45c1dd6db51f19d4d0549bd3248ce44fe599ce0b7398ad6d7675598e52b8b22c664df134be29b86
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
4.0MB
-
Filesize
3.8MB
-
Filesize
4.0MB
-
Filesize
1.7MB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.7MB
-
Filesize
1024KB
-
Filesize
1.7MB
-
Filesize
36KB
-
Filesize
1.7MB
-
Filesize
5.0MB
-
Filesize
6.0MB
-
Filesize
584KB
-
Filesize
6.9MB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
192KB
-
Filesize
300KB
-
Filesize
1.0MB
-
Filesize
6.9MB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
2.0MB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB