Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
03/10/2023, 14:37
General
-
Target
7f6a1fe8b2acedc1c54746124c87133ee68e64c411d2c4fbc7aaa9e8089c7354_JC.exe
-
Size
234KB
-
MD5
07ddc02a6690f5e0d1927cf966443b34
-
SHA1
c0a1dbbc71c4f8a622c66cd8da0af977fa1a010e
-
SHA256
7f6a1fe8b2acedc1c54746124c87133ee68e64c411d2c4fbc7aaa9e8089c7354
-
SHA512
55ce65d1aaf730c660d94dc10fa606b5e7aff16f95a9c2fe4ea9cd1776396eda8654ac29cb16b37bbe5ec5a6dfe6c6e6af1243fce6a11c25236a518d47d62437
-
SSDEEP
3072:v/QNy0IYyB0d5waXV7pmhIAJl2q1UTXWoWcqo+xlSU95R6Jp2fovV:XOy55B0dKw1LIVUTGPcqvlSk6Jp2QV
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.255.152.132:36011
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f6a1fe8b2acedc1c54746124c87133ee68e64c411d2c4fbc7aaa9e8089c7354_JC.exe"C:\Users\Admin\AppData\Local\Temp\7f6a1fe8b2acedc1c54746124c87133ee68e64c411d2c4fbc7aaa9e8089c7354_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DB62.exeC:\Users\Admin\AppData\Local\Temp\DB62.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DC2E.exeC:\Users\Admin\AppData\Local\Temp\DC2E.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 4162⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\DFF8.exeC:\Users\Admin\AppData\Local\Temp\DFF8.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E2B8.exeC:\Users\Admin\AppData\Local\Temp\E2B8.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\E588.exeC:\Users\Admin\AppData\Local\Temp\E588.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 448 -ip 4481⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\E981.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\E981.dll2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
732KB
MD58f4c3da1585a072e6502ac568601601b
SHA135b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA2561b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a
-
Filesize
732KB
MD58f4c3da1585a072e6502ac568601601b
SHA135b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA2561b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a
-
Filesize
367KB
MD5d8ab561934ca36b3ee80d5c7647a8b13
SHA15a79fafcb1450f9acaf77462af5d205daa5e6917
SHA256e0cd7d5435c616086f418115d28d4896f69cdf1b20b76065f3d1b9d50d531295
SHA5129716f546c4f5b629da4adecba132a0dc32f28c50ff3506ad6df25a607aaa06498bcb38d4ff263f2fcece582aed17237f76e9b2c07c10a9d245126a779089bf17
-
Filesize
367KB
MD5d8ab561934ca36b3ee80d5c7647a8b13
SHA15a79fafcb1450f9acaf77462af5d205daa5e6917
SHA256e0cd7d5435c616086f418115d28d4896f69cdf1b20b76065f3d1b9d50d531295
SHA5129716f546c4f5b629da4adecba132a0dc32f28c50ff3506ad6df25a607aaa06498bcb38d4ff263f2fcece582aed17237f76e9b2c07c10a9d245126a779089bf17
-
Filesize
294KB
MD5efeb45f265d429953eed17936db8a422
SHA11f09d99a3b8f58c114de75489231d7ef8ee54a6f
SHA256b4f271857aad72c734050752f4bd22c254cbde4ffe9d87243c3087a0de779f47
SHA512d1e67a4bb35c494850dc8e2c761909f272cb23ae62969d9afb64e94dc4ed9c9b9960b7710be7a08de70f3237eee9a1093a24f632b08c2f94b5886a92a7f292f5
-
Filesize
294KB
MD5efeb45f265d429953eed17936db8a422
SHA11f09d99a3b8f58c114de75489231d7ef8ee54a6f
SHA256b4f271857aad72c734050752f4bd22c254cbde4ffe9d87243c3087a0de779f47
SHA512d1e67a4bb35c494850dc8e2c761909f272cb23ae62969d9afb64e94dc4ed9c9b9960b7710be7a08de70f3237eee9a1093a24f632b08c2f94b5886a92a7f292f5
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
732KB
MD5d46a78191c2dc363578bca80db360c8e
SHA1f8e2d9b7edc849273b22ee0633a6a714d4f440cd
SHA25603f0b6f519eac662b491fe8ad74e43f17198d85329904ffbb509ece5d631241f
SHA512772ecd9be680c1c8b753b30dc59c09d6f98035631b5decc1525bdfda7e6f1980eea64bfc154218d38aa7156efa8f6de3595ccfd1cb54736542f326550c2a8bc6
-
Filesize
732KB
MD5d46a78191c2dc363578bca80db360c8e
SHA1f8e2d9b7edc849273b22ee0633a6a714d4f440cd
SHA25603f0b6f519eac662b491fe8ad74e43f17198d85329904ffbb509ece5d631241f
SHA512772ecd9be680c1c8b753b30dc59c09d6f98035631b5decc1525bdfda7e6f1980eea64bfc154218d38aa7156efa8f6de3595ccfd1cb54736542f326550c2a8bc6
-
Filesize
1.1MB
MD5ef0982b12152fc95c38bdb1efc9e8182
SHA1243454ff09d4d8e3cd465a51b39e7669d2f264b1
SHA256bb59b626e85ccf5322c40e570275e7ede5766d7030e0fef21c7e4d30e9f91aa2
SHA512dd2b74a37a750d8d68297d88050ab2fa937a20819fa29306aba2970c6b5c883b9153b155411c823812284f8c641b37b872646fb259e652eb39942578ecf07447
-
Filesize
1.2MB
MD5e1af1949a3314fade707d3506364063f
SHA1ada1dabb778fffbb3aaf09b99c32877e738391a5
SHA256d1dadb6bfb565678f02f79ecef3a8e49a59613cdcb45ecb1a4dea772516203c4
SHA5124a86555ab8f9f7edcdee54262a4944b9e384b176d8ccc21be488df17cfdf55e61e11487e24ee6b32b5f315ce8353d9a9c83cd9622d01825761633686bb262ad7
-
Filesize
30.6MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
32.2MB
-
Filesize
32.2MB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.2MB
-
Filesize
24KB