Analysis
-
max time kernel
38s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:06
Static task
static1
Behavioral task
behavioral1
Sample
c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe
Resource
win10v2004-20231130-en
General
-
Target
c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe
-
Size
270KB
-
MD5
c9351eac0dbd84e1795eeddc90eb9c5e
-
SHA1
2fca40622ffa7903b8711e5b8ecbebc401a6a93b
-
SHA256
c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183
-
SHA512
9cb9000b114c6cd2aa472d4684dabbfd0c7cad7cb49bdb6239c1a04689622b2f2dd08e021007da71c0ed247e474948b21a9953a42187d147af133e065927e711
-
SSDEEP
3072:cFDA0Y7DY/3pFSlTLHj3qtmRAVwnFDnJFo5iuS0M81aC2d:aDZ80XSl3HbqyAVwnVJiNS0M81a
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
Extracted
redline
1205-55000
38.47.221.193:34368
Extracted
redline
redtest
107.173.58.91:32870
Signatures
-
Raccoon Stealer V2 payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2684-22-0x0000000000400000-0x0000000002ABF000-memory.dmp family_raccoon_v2 behavioral1/memory/2684-23-0x0000000000220000-0x0000000000236000-memory.dmp family_raccoon_v2 behavioral1/memory/2684-108-0x0000000000400000-0x0000000002ABF000-memory.dmp family_raccoon_v2 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2852-166-0x0000000000080000-0x00000000000BC000-memory.dmp family_redline behavioral1/memory/2852-169-0x0000000000080000-0x00000000000BC000-memory.dmp family_redline behavioral1/memory/2852-171-0x0000000000080000-0x00000000000BC000-memory.dmp family_redline behavioral1/memory/2852-174-0x0000000007420000-0x0000000007460000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1292 -
Executes dropped EXE 1 IoCs
Processes:
33FC.exepid process 2684 33FC.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3D31.exe themida behavioral1/memory/2548-70-0x0000000000B90000-0x0000000001512000-memory.dmp themida -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 580 tasklist.exe 1676 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exepid process 2360 c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe 2360 c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1292 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exepid process 2360 c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
description pid process target process PID 1292 wrote to memory of 2684 1292 33FC.exe PID 1292 wrote to memory of 2684 1292 33FC.exe PID 1292 wrote to memory of 2684 1292 33FC.exe PID 1292 wrote to memory of 2684 1292 33FC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe"C:\Users\Admin\AppData\Local\Temp\c157fc602f74ceef8db9adc79ad6b11836f4a8bc8833dc38bb22f8998166b183.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2360
-
C:\Users\Admin\AppData\Local\Temp\33FC.exeC:\Users\Admin\AppData\Local\Temp\33FC.exe1⤵
- Executes dropped EXE
PID:2684
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3795.dll1⤵PID:2796
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\3795.dll2⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\3D31.exeC:\Users\Admin\AppData\Local\Temp\3D31.exe1⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\41F3.exeC:\Users\Admin\AppData\Local\Temp\41F3.exe1⤵PID:2256
-
C:\Windows\SysWOW64\cmd.execmd /k cmd < Properly & exit2⤵PID:680
-
C:\Windows\SysWOW64\cmd.execmd3⤵PID:2876
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2220
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:580 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:1676 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe"4⤵PID:1736
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Mandatory + Aging + Fathers + Granny + Plymouth 28255\Imported.pif4⤵PID:2132
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Rod + Animation 28255\t4⤵PID:1792
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\23276\28255\Imported.pif28255\Imported.pif 28255\t4⤵PID:1616
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir 282554⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\4C02.exeC:\Users\Admin\AppData\Local\Temp\4C02.exe1⤵PID:1436
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2732
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2800
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\23276\28255\jsc.exeC:\Users\Admin\AppData\Local\Temp\23276\28255\jsc.exe1⤵PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
45KB
MD5f1feead2143c07ca411d82a29fa964af
SHA12198e7bf402773757bb2a25311ffd2644e5a1645
SHA2568f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1
SHA512e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df
-
Filesize
45KB
MD5f1feead2143c07ca411d82a29fa964af
SHA12198e7bf402773757bb2a25311ffd2644e5a1645
SHA2568f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1
SHA512e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df
-
Filesize
633KB
MD5fe3cdb342fa79c9e1cb79f4544a8a975
SHA10c37d9c0b63af3bd99f7e1612024a469d757ae1d
SHA256fad17a4f9fc911f208337c2fb9b38dff422373297ce9fab60faae36771307803
SHA512b50cf641b621eaac56a6805c59298b9857bc149b2d51202aefb53247d2410ca723320db624e4b6b24638809e3f87dfa332ae7dde00c624b12784a825490b9697
-
Filesize
265KB
MD5c724d5bd5c18d2bbe5fe2c7946c1b6b2
SHA17beed9c36d52db96557049da7fb3fd9765ab06da
SHA25686b3e35e182ef64c4119084416a1009c365629360d954a4a9a53ec6d737a2d8f
SHA5128841cb5ff4425ecaa89f691510276e42cb68450514439766d1e82769f0a498295961681e02bd2c0251b082e50eee599a516b19f7dde345a30f81f743f94e48a7
-
Filesize
156KB
MD55dbdebec65c149f9303357aeb35f3f13
SHA1971b53aad088edbbd9185c5390b82e41324e964b
SHA25650e9ea749c805b70e45e35d0ec59f5380e5ff8f0b677d099e19b3d6b782163c6
SHA512df410166f1eff8f08453dc110227e947f3c94de59da6a4c5953ff27d8d133df3acad89640f948d4133f4e367809a754f43586bf397acd01133cb291111b7f065
-
Filesize
134KB
MD519840b560c884e4575f325fbf6dde028
SHA158a5840b9163d586ea83535d02197a30fe04f3d0
SHA256698f94e57b0edc595e35cd9ea0a6ded21fd383c559e349b2d4b6bae01a0a445f
SHA5121a3921f8a9a3fd2d0394b811dbfa0fffdc72be5047fe17533cdeae3d2ec6cbdf5a0951a0744f0c1a372de809f3af502ff940fc679f3ff40d0eb55cb78b9d460e
-
Filesize
290KB
MD54ee0ce02c9a6966cf83884c8b614077f
SHA12052c40fbc6ae0bd2fc085161e42e500556c27dd
SHA256ec33283a90016ceae05ad793143d10679d430c2aa3fc2d1026f6c6acc5b028fb
SHA5128dbee460fb43696834f62352852f58fdb6e4f160dcdfb1d4a7d81b2fe8cfb730e797af4c97095abbbce19f5569afac6da3eeadb6465ff5c216b6a4e79964a4df
-
Filesize
161KB
MD5f95a9af4657f69267464287ead8d12d2
SHA16171891ae7a8206b76ef4d9cf88f274987f21485
SHA25696aa51fdf657cdc4e28744f2383ad53d45085d7f312264c9d786c751bc778307
SHA5120ee28b7b6a767958058c775a1df42e81a97151b37511686902b29f54d0bc5769d10978c297a90f166018cd34fbc5d85f8f146576a19d78ddc5ed37083de1f6d3
-
Filesize
74KB
MD5265a4f252616accea4a910e76e612f0b
SHA17002ca5e385a2bfa58200c08fd2821acf0072122
SHA25622424b9c63b2b5d882cc25335dbfb2f1872c1186f43fe1caf16d87b808f6e3e9
SHA512f77dfe13c67ba3235bc1dc88041a7266430bedd6f35d3f2ba0c46314346de61305256b144eb9c49842edb4d21741e31161fbe025a92cb85b7aeface781cdd5e4
-
Filesize
12KB
MD5fdf171249c22f3f45c53408bfa0d2f2b
SHA195e96312015058c60c83a8e38733371311722593
SHA256b0d4a9769a644c418419050c5b2b7f796f06a7d4c48010e8498e2596c7a935bd
SHA51252d21473972162cd29e403d1e3eee209ac5e4c2051a7e07455ec96971a94f5ac045ba3c539066bf5abd2fe3995334a4683f58f0f11dc5c28488ae1dbce91968d
-
Filesize
477KB
MD54ea38f8c80b7060a80c79ab03d5d1c7c
SHA1cfddc34a9e809c7c3f9fc0e457522bfb0457ab67
SHA256b4ea21811ef45cd914cefd4fa272715c295e7673bfdd3976ef4c1b7c2f00a85a
SHA5120e2e22e503b9938fe356aaef78197621f98ece3c705a2451b6b87ccd50cff92a67d809f81673b66e58ea8c5f82ffb28e955a8eac2782a00430a134fe522cc06a
-
Filesize
291KB
MD51de5eb2944545479b07139c4b4227cb4
SHA16baf1786af938b22a92b5f515f9d4ee131e6495a
SHA256876ba20dfdae7014531937bf45a1a94757b01e72ae4e6ce5bee66665f1763dd1
SHA51275322c0a9f12a74a69fc342c24ab3fe622dff26545f679b4baa9ffca6e1962e13d7455146bf332db24162aac595d31f5d9f28a4c8dc5685bd94e8ce87aec023a
-
Filesize
291KB
MD51de5eb2944545479b07139c4b4227cb4
SHA16baf1786af938b22a92b5f515f9d4ee131e6495a
SHA256876ba20dfdae7014531937bf45a1a94757b01e72ae4e6ce5bee66665f1763dd1
SHA51275322c0a9f12a74a69fc342c24ab3fe622dff26545f679b4baa9ffca6e1962e13d7455146bf332db24162aac595d31f5d9f28a4c8dc5685bd94e8ce87aec023a
-
Filesize
2.6MB
MD5c73569915305ac15c46f6b0565bc39b0
SHA1744e80ad9f09ee6a2e32fd1700f93ac45a270d53
SHA256e08c706b8e7c518be2606ff7f3274918330b03ed2cd0bf2120a6676fb85dec8b
SHA512a4c85815b872475858913c3dbad6a3820ceb93a317b0749c034948b80ddd4fb3c3a4b9da9740f578a662b8a9f7b8fe2841ef5ddf7152840182d6a0b76f6eca40
-
Filesize
4.1MB
MD541960f214e4314caa2f5157b11b00a18
SHA1c405bffc785505bab364208c24e29eefe80f1e32
SHA25669f5aca8d40511fbf3523b1e8e2cee4ff64b65ab94a7e734e9810ef0f617a327
SHA5127cfcb85c84e493fc2362d96495da0b40f01d7884ba5cc0346714d487cb249379b2dec689f9958177aae49e71f6dafbfb9b7b9c046decb1b4356937052f8e9140
-
Filesize
1.3MB
MD5bf1229435270f85c47a561c29ee5e1e0
SHA1129857639c5cb4feffb0a674be2baf81f1c90bd3
SHA25608ac62d87943f67a0ec0a16d1f9c3f7dc9cef7479afed610847fbb926c9cd1af
SHA512941cb25b836e769dfe68f42df7ba4ee8b9e4e2fac2bd985b3a8b2d1da53c04f46f2380d8977f3a22650b2be37b962f4a7f54552699ebdfdf93adfce2643d966d
-
Filesize
1.8MB
MD56d3e2ee8f723889b7c3cc7dd7f7b7326
SHA1c739c825908d47921033fbe65db217a7550de798
SHA256e5fef0ed227cef479a29f10d15f0740a4d47747893c69e0b1514e7069da844de
SHA5129530762217ab46bd08d2d8e0004c673a1583949ecfc63407baf7c1dd8c4dad2f8d598f7bcebc9706ba4d14d96169cec88930cc0efddbebcfbb1313ea449536d2
-
Filesize
1.8MB
MD56d3e2ee8f723889b7c3cc7dd7f7b7326
SHA1c739c825908d47921033fbe65db217a7550de798
SHA256e5fef0ed227cef479a29f10d15f0740a4d47747893c69e0b1514e7069da844de
SHA5129530762217ab46bd08d2d8e0004c673a1583949ecfc63407baf7c1dd8c4dad2f8d598f7bcebc9706ba4d14d96169cec88930cc0efddbebcfbb1313ea449536d2
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
45KB
MD5f1feead2143c07ca411d82a29fa964af
SHA12198e7bf402773757bb2a25311ffd2644e5a1645
SHA2568f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1
SHA512e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df
-
Filesize
2.6MB
MD5c73569915305ac15c46f6b0565bc39b0
SHA1744e80ad9f09ee6a2e32fd1700f93ac45a270d53
SHA256e08c706b8e7c518be2606ff7f3274918330b03ed2cd0bf2120a6676fb85dec8b
SHA512a4c85815b872475858913c3dbad6a3820ceb93a317b0749c034948b80ddd4fb3c3a4b9da9740f578a662b8a9f7b8fe2841ef5ddf7152840182d6a0b76f6eca40