Overview

overview

10

Static

static

10

0b5ab18b1f...e2.exe

windows7-x64

10

0b5ab18b1f...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2023 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b5ab18b1fb6b220e32a614dfb5b4de2.exe

  • Size

    37KB

  • MD5

    0b5ab18b1fb6b220e32a614dfb5b4de2

  • SHA1

    42b2d5dcf34395173b96899113d42080f0053643

  • SHA256

    8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb

  • SHA512

    999bcc43833f18abf11804bec0acc419a03dbce7ebc3900dfd3cdb5fe8e66af5baa71f8961c13d7a38162e73206ae245d3eb2ef6eb24d1b17de001f6b6324bf7

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Score
10/10
eternityredlinesmokeloader@oleh_psbackdoorinfostealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes
  • payload_urls

    https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe
    "C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1164
  • C:\Users\Admin\AppData\Local\Temp\A47.exe
    C:\Users\Admin\AppData\Local\Temp\A47.exe
    1⤵
    • Executes dropped EXE
    PID:4336
  • C:\Users\Admin\AppData\Local\Temp\6A89.exe
    C:\Users\Admin\AppData\Local\Temp\6A89.exe
    1⤵
    • Executes dropped EXE
    PID:860
  • C:\Users\Admin\AppData\Local\Temp\72E6.exe
    C:\Users\Admin\AppData\Local\Temp\72E6.exe
    1⤵
    • Executes dropped EXE
    PID:4128
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:2236
    • C:\Users\Admin\AppData\Local\Temp\7643.exe
      C:\Users\Admin\AppData\Local\Temp\7643.exe
      1⤵
        PID:1280
      • C:\Users\Admin\AppData\Local\Temp\868F.exe
        C:\Users\Admin\AppData\Local\Temp\868F.exe
        1⤵
          PID:2376

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\6A89.exe
          Filesize

          20.7MB

          MD5

          d0c59443e41e1160209139841fa39c9f

          SHA1

          76be0077ce9dc5ef6756b8c202a6d5d94c759535

          SHA256

          de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c

          SHA512

          d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\72E6.exe
          Filesize

          279KB

          MD5

          0de1d0372e15bbfeded7fb418e8c00ae

          SHA1

          6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1

          SHA256

          98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502

          SHA512

          7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7643.exe
          Filesize

          219KB

          MD5

          91d23595c11c7ee4424b6267aabf3600

          SHA1

          ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

          SHA256

          d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

          SHA512

          cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\868F.exe
          Filesize

          1.6MB

          MD5

          858d343fe3f763841babfd96e4282a29

          SHA1

          61ef349d6d2d76c28e80770c49f99f56d37e2900

          SHA256

          6f30916a8702c12308040e356a16e98189557d85b5abda43fd8c2f8b3133de6f

          SHA512

          905f9a9008bc1ec5e36d333f49dbf0eb2522b9016eb316b08ffe7c9a592235187c379128a2e2841790151fc3c8736075f4d445611fd090774275cdc42b190679

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\868F.exe
          Filesize

          1.2MB

          MD5

          d9272f48339d2fff46bdf9ca231866fb

          SHA1

          bf2ae059f6e8403100bed30d4f524670e01f3bf7

          SHA256

          d9dab8e325c4e4a5b45d00a631d0cdbbbee06d805eb9a43a69b403771ec890f7

          SHA512

          3738adfc0f6f430031b24c17bde97afa3c50a3502a3924c69122d8384b68c7321b71b590dd413aa8c597d1893a8902802ab43efbc0cfdaffb7222ec5e4f0b932

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\A47.exe
          Filesize

          401KB

          MD5

          f88edad62a7789c2c5d8047133da5fa7

          SHA1

          41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

          SHA256

          eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

          SHA512

          e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

          Download Submit

        • memory/860-25-0x0000000074A20000-0x00000000751D0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/860-30-0x0000000000420000-0x00000000018D6000-memory.dmp

          Filesize

          20.7MB

          Download

        • memory/1164-0-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1164-4-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1280-26-0x0000000074A20000-0x00000000751D0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1280-29-0x0000000000260000-0x000000000029C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1280-36-0x00000000076F0000-0x0000000007C94000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2236-24-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2236-27-0x0000000074A20000-0x00000000751D0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2376-35-0x00000000007C0000-0x0000000000D72000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2376-34-0x0000000074A20000-0x00000000751D0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3384-1-0x0000000003410000-0x0000000003426000-memory.dmp

          Filesize

          88KB

          Download