Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    254s
  • platform
    windows10-1703_x64
  • resource
    win10-20230831-en
  • resource tags

    arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-09-2023 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfd008e1ea32fcd2a1f9980af02b684c6a7f1fe5f374391185069c31e9c084ee.exe

  • Size

    252KB

  • MD5

    81a7aed5c6838dd6476030a8db20d544

  • SHA1

    d3b1fbe47bf204a9960805050123f81d3bd728bc

  • SHA256

    bfd008e1ea32fcd2a1f9980af02b684c6a7f1fe5f374391185069c31e9c084ee

  • SHA512

    b1d03236e7eec858af9da5c55a2e530e51fd726907409ea358c44df909deb46fb05babf7249e5e6107496ab85f1af95a5a8d9c919c4f7bf403679043f58ea122

  • SSDEEP

    6144:yltRVCizvvCGCr2eaPsB6gAOrkj0yQXBvWjuRd:yvTCGQdkwVRd

Score
10/10
amadeyredlinesmokeloaderbackdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

3.83

C2

http://5.42.65.80/8bmeVwqx/index.php

Attributes
  • install_dir

    207aa4515d

  • install_file

    oneetx.exe

  • strings_key

    3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfd008e1ea32fcd2a1f9980af02b684c6a7f1fe5f374391185069c31e9c084ee.exe
    "C:\Users\Admin\AppData\Local\Temp\bfd008e1ea32fcd2a1f9980af02b684c6a7f1fe5f374391185069c31e9c084ee.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 264
      2⤵
      • Program crash
      PID:3852
  • C:\Users\Admin\AppData\Local\Temp\9A18.exe
    C:\Users\Admin\AppData\Local\Temp\9A18.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
  • C:\Users\Admin\AppData\Local\Temp\9DC3.exe
    C:\Users\Admin\AppData\Local\Temp\9DC3.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:5080
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "oneetx.exe" /P "Admin:N"
            4⤵
              PID:4108
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:R" /E
              4⤵
                PID:1524
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:664
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\207aa4515d" /P "Admin:N"
                  4⤵
                    PID:4912
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\207aa4515d" /P "Admin:R" /E
                    4⤵
                      PID:1264
              • C:\Users\Admin\AppData\Local\Temp\A006.exe
                C:\Users\Admin\AppData\Local\Temp\A006.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3728
              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:4152

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\9A18.exe
                Filesize

                1.2MB

                MD5

                1a18fc4db3affaacf43f4022df7a2c32

                SHA1

                2ef240262c43bdd5f6a9db9f7e6abb1e408366ba

                SHA256

                b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32

                SHA512

                be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\9A18.exe
                Filesize

                1.2MB

                MD5

                1a18fc4db3affaacf43f4022df7a2c32

                SHA1

                2ef240262c43bdd5f6a9db9f7e6abb1e408366ba

                SHA256

                b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32

                SHA512

                be7ea1afa780dbe8bf70141566de147493bd6c276c64b45431e4ef3c46aecb5be28cea63f3a56188ba075b8aaae4edc400c0b07b6c05da0f4ce02a4ff5519069

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\9DC3.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\9DC3.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\A006.exe
                Filesize

                341KB

                MD5

                8669fe397a7225ede807202f6a9d8390

                SHA1

                04a806a5c4218cb703cba85d3e636d0c8cbae043

                SHA256

                1624a759791e49ce8f79dd249d3ac2aede589ffbe53db342e4c99e2fbbc1b90e

                SHA512

                29cad49434172a910ba7635058ecc02aacf43f648ee98b2c47c561332403a96847b5da817358095f7638295b238de8874bf34fb393670096bbf3caeb388a9c45

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\A006.exe
                Filesize

                341KB

                MD5

                8669fe397a7225ede807202f6a9d8390

                SHA1

                04a806a5c4218cb703cba85d3e636d0c8cbae043

                SHA256

                1624a759791e49ce8f79dd249d3ac2aede589ffbe53db342e4c99e2fbbc1b90e

                SHA512

                29cad49434172a910ba7635058ecc02aacf43f648ee98b2c47c561332403a96847b5da817358095f7638295b238de8874bf34fb393670096bbf3caeb388a9c45

                Download Submit

              • memory/2620-23-0x00000000002A0000-0x000000000042E000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2620-16-0x00000000002A0000-0x000000000042E000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2620-15-0x00000000002A0000-0x000000000042E000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2652-4-0x0000000000CF0000-0x0000000000D06000-memory.dmp

                Filesize

                88KB

                Download

              • memory/2736-40-0x0000000009260000-0x000000000926A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2736-67-0x000000000DA20000-0x000000000DF4C000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/2736-380-0x0000000072800000-0x0000000072EEE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/2736-365-0x000000000D640000-0x000000000D690000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2736-35-0x000000000B730000-0x000000000B7C2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/2736-39-0x000000000B8A0000-0x000000000B8B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2736-364-0x0000000072800000-0x0000000072EEE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/2736-41-0x000000000C740000-0x000000000CD46000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/2736-68-0x000000000D270000-0x000000000D28E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/2736-43-0x000000000B910000-0x000000000B922000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2736-26-0x0000000072800000-0x0000000072EEE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/2736-46-0x000000000BA40000-0x000000000BB4A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2736-17-0x0000000000400000-0x000000000045A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/2736-31-0x000000000BC30000-0x000000000C12E000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/2736-52-0x000000000B980000-0x000000000B9BE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2736-66-0x000000000D320000-0x000000000D4E2000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/2736-58-0x000000000C1B0000-0x000000000C216000-memory.dmp

                Filesize

                408KB

                Download

              • memory/2736-65-0x000000000D0D0000-0x000000000D146000-memory.dmp

                Filesize

                472KB

                Download

              • memory/3572-5-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3572-3-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3572-0-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3728-53-0x0000000007660000-0x00000000076AB000-memory.dmp

                Filesize

                300KB

                Download

              • memory/3728-42-0x00000000073A0000-0x00000000073B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3728-38-0x0000000072800000-0x0000000072EEE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3728-374-0x0000000072800000-0x0000000072EEE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3728-375-0x00000000073A0000-0x00000000073B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3728-379-0x0000000072800000-0x0000000072EEE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3728-37-0x00000000005E0000-0x000000000063A000-memory.dmp

                Filesize

                360KB

                Download