Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
16-07-2023 07:41
General
-
Target
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
-
Size
163KB
-
MD5
7ff07ccc087a7d29c89cfd7fd5eb9f5d
-
SHA1
2150a746f78c9648d61a5e6861817408d80296cb
-
SHA256
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
-
SHA512
5710315d3921799b192fd3c683aff6282ff55a28c1689441f91277bfa5720212546d14a040963f12810aecd76be6e98b63e8de360ec1e7997848c3eac69e9165
-
SSDEEP
3072:rri0LnjzU9CSXlwRglQttweek/bOn3fekTBO95wYW:60LnjAxX8WQfY2OvesnYW
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
redline
cc
94.228.169.160:43800
-
auth_value
ec4d19a9dd758ace38b4f5b4a447b048
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 23 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3DAC.exeC:\Users\Admin\AppData\Local\Temp\3DAC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\43D3.exeC:\Users\Admin\AppData\Local\Temp\43D3.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\514C.exeC:\Users\Admin\AppData\Local\Temp\514C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 362⤵
- Loads dropped DLL
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5e3ec6fac7cb034d7633d62dd7a77a396
SHA1aa8baa3dd5a350d6659cbee31796d85d145efecf
SHA256a08f09ae77d70f0967a25a2f64306144abc50e816de2056d5c2f7fde95ee57a8
SHA5126a5381809575e127091f37e528ddf51cca21d4ef104c4607ba3abe9dd4e9f3e7157157f854da8965b61d6e7e5011db2b76102f45efa4f7a2301fe6daa384d611
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
261.8MB
MD51cb47cad291477e0b3162f16682d204c
SHA12e3428f2970ecea5b6932bf51c8431b2723a7621
SHA256d273516cc66b3d0bcac93f27cec2c85c4b6ad6ea77fafc5ac54692208d69d226
SHA5127474b946956537b0036bded60ffa2da016e4b18cecfbdf61e94f4bf0e042546b36e8b8410b78fe8dab7b046e69a0c73a1d8ba13a9d50f097935c2a666134cc5c
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
286.6MB
MD570a87234e618e9ecaa10994418ecd602
SHA10b112335c1f929606df03e257f2ba71a851456d3
SHA256f28ea287ffa4d92aca77cbb6df4480fc5d31570f0a4fb8e7b6947e3fcc799f60
SHA5125481a1a20922c0035d73db550ee11136d8c4bd6f3cebf14bad49508c9d35981510717d8b5628bd3208cfeae7c995b359e9d2ce8963c3ab541e1af6cf4cef1560
-
Filesize
314.6MB
MD5f81a6579cb76ebaa280a4a8fb28840fc
SHA152a7734d6790f651d70e0da7cc7789ba8ca6b7e7
SHA25649282a105b82322d7182205331256549906806dce8830cc351b44bb1d469e376
SHA51237fcf21f1d3e64220ca856962d26aee5b77fde60e12558cacbeb90061ddfde322db9481ade1763c085ac7b061ccf948f4cda7632d1e0c22dc7e20d5ca391ae58
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
1.7MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
3.8MB
-
Filesize
1.7MB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
1.7MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
1.7MB
-
Filesize
2.0MB
-
Filesize
156KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
1024KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
24KB
-
Filesize
1024KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
264KB
-
Filesize
280KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
1.8MB
-
Filesize
1024KB
-
Filesize
6.9MB
-
Filesize
296KB
-
Filesize
1.8MB
-
Filesize
296KB