Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2023, 22:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.BotX-gen.4091.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.BotX-gen.4091.exe
Resource
win10v2004-20230915-en
General
-
Target
SecuriteInfo.com.Win32.BotX-gen.4091.exe
-
Size
267KB
-
MD5
6cf01c815d1489b617c05fcd4640fffd
-
SHA1
2ad52ebfc86e11c71cc901f18e6c4f80eac55079
-
SHA256
56be912ce754d75f3385dab925ee34d9a0a1e07fe841c6a2e9adafa8021c99bc
-
SHA512
33f2dab46769d6d88b953b7b3972f2561fde10998c1aebbb88bc5366d035b5c706ab4c5209868919b3f01f4e4501da5e06cfe468168dd1be0edea398dd5d28f6
-
SSDEEP
3072:SEI3+gesvpzB4jtXebGwIBsCTZDAIpzNxU4YDG9DZINLgJNZqMG:XI3JvpzB4jtXlB3TvhNxU4YDCdINLj
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Extracted
stealc
http://85.209.11.51
-
url_path
/fefb4a458e1dc58b.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/396-183-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2200 5EE4.exe 32 6BD5.exe -
Loads dropped DLL 2 IoCs
pid Process 5072 AddInProcess32.exe 5072 AddInProcess32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 32 set thread context of 3840 32 6BD5.exe 89 PID 2200 set thread context of 4800 2200 5EE4.exe 90 PID 32 set thread context of 5072 32 6BD5.exe 91 PID 2200 set thread context of 3604 2200 5EE4.exe 92 PID 3840 set thread context of 396 3840 AddInProcess32.exe 94 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Win32.BotX-gen.4091.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Win32.BotX-gen.4091.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Win32.BotX-gen.4091.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AddInProcess32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AddInProcess32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AddInProcess32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2132 SecuriteInfo.com.Win32.BotX-gen.4091.exe 2132 SecuriteInfo.com.Win32.BotX-gen.4091.exe 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3204 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2132 SecuriteInfo.com.Win32.BotX-gen.4091.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeDebugPrivilege 32 6BD5.exe Token: SeDebugPrivilege 2200 5EE4.exe Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeDebugPrivilege 4800 AddInProcess32.exe Token: SeDebugPrivilege 3840 AddInProcess32.exe Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found Token: SeShutdownPrivilege 3204 Process not Found Token: SeCreatePagefilePrivilege 3204 Process not Found -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 3204 wrote to memory of 2200 3204 Process not Found 87 PID 3204 wrote to memory of 2200 3204 Process not Found 87 PID 3204 wrote to memory of 2200 3204 Process not Found 87 PID 3204 wrote to memory of 32 3204 Process not Found 88 PID 3204 wrote to memory of 32 3204 Process not Found 88 PID 3204 wrote to memory of 32 3204 Process not Found 88 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 32 wrote to memory of 3840 32 6BD5.exe 89 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 2200 wrote to memory of 4800 2200 5EE4.exe 90 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 32 wrote to memory of 5072 32 6BD5.exe 91 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 2200 wrote to memory of 3604 2200 5EE4.exe 92 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 4800 wrote to memory of 5116 4800 AddInProcess32.exe 93 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 3840 wrote to memory of 396 3840 AddInProcess32.exe 94 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 PID 4800 wrote to memory of 3380 4800 AddInProcess32.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.4091.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.4091.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2132
-
C:\Users\Admin\AppData\Local\Temp\5EE4.exeC:\Users\Admin\AppData\Local\Temp\5EE4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵PID:5116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵PID:3380
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Checks processor information in registry
PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\6BD5.exeC:\Users\Admin\AppData\Local\Temp\6BD5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵PID:396
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:5072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56e98ae51f6cacb49a7830bede7ab9920
SHA11b7e9e375bd48cae50343e67ecc376cf5016d4ee
SHA256192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd
SHA5123e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
148KB
MD5ba25e6f018cc3be0067e27534065afd9
SHA1d210b2582751eaf95e39f477d17bee57bc704a8e
SHA256684e380e52fb6c94c2c5515faeaa5bcf66f861fc41da29b435c38dd1416d1a9d
SHA5128076f2ad7b548cfe50caccdd93a0cbb8222f957d9b7475ac475fd8bca2247372aaf7e13d52c7ec90e1d1be0b422c03c9cb8e4e0ee6fb3e43a862cf1dc239f8ae
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
5KB
MD5fff8bb74ff31eb63f0386737a00b6d0a
SHA1eaf6b3268e69a783aee4f97c4a2daa9bd153d6fe
SHA256fdbb1e867d9aff33fa30c8e2d1f0cf18faa97c27851767720035b05e67100cc6
SHA512dc77574ca6d10edc96901776022b1d10bd2b0295647c61ea97dd806b744a217d807edbea13af13fbd458a3f3c8553924df46d4ebff829a02f191c63142f6699a
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
87KB
MD5842ccb3e9856570ec670bd0fd5adae21
SHA108de064c41f237c0502bc71849a8654cd2ab3272
SHA256945bad97952b8789cccea0cf0a62b6e96dfd517de2dc81e4142b849462cf6e05
SHA512475f8850962c66e717382aa0454fcd49b6430e2e1ea4dcd62192a0b783a9942b69d3f959491f02cd52ad148058c5ded5921c47e0971a74253d22dd58a4c3e79a
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
505KB
MD53082e7832f7a31397990d4d3ae4c75c9
SHA1769b150e219c7e8d7221f7a0f0ba6ef617fd036d
SHA256716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
SHA5128e371f4b075070daf8efb449ab87d923eb4d3cad74d7c9c3d3cef76f43f268c0e4aabe6fa1f801e20ac49e25f9bac70338044fbe9bd408883429ca34fb98ade4
-
Filesize
505KB
MD53082e7832f7a31397990d4d3ae4c75c9
SHA1769b150e219c7e8d7221f7a0f0ba6ef617fd036d
SHA256716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
SHA5128e371f4b075070daf8efb449ab87d923eb4d3cad74d7c9c3d3cef76f43f268c0e4aabe6fa1f801e20ac49e25f9bac70338044fbe9bd408883429ca34fb98ade4
-
Filesize
505KB
MD53082e7832f7a31397990d4d3ae4c75c9
SHA1769b150e219c7e8d7221f7a0f0ba6ef617fd036d
SHA256716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
SHA5128e371f4b075070daf8efb449ab87d923eb4d3cad74d7c9c3d3cef76f43f268c0e4aabe6fa1f801e20ac49e25f9bac70338044fbe9bd408883429ca34fb98ade4
-
Filesize
505KB
MD53082e7832f7a31397990d4d3ae4c75c9
SHA1769b150e219c7e8d7221f7a0f0ba6ef617fd036d
SHA256716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
SHA5128e371f4b075070daf8efb449ab87d923eb4d3cad74d7c9c3d3cef76f43f268c0e4aabe6fa1f801e20ac49e25f9bac70338044fbe9bd408883429ca34fb98ade4