Analysis
-
max time kernel
0s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 13:16
Static task
static1
Behavioral task
behavioral1
Sample
718b5089505fed92d1a44dc0dbeb36dc.exe
Resource
win7-20231215-en
General
-
Target
718b5089505fed92d1a44dc0dbeb36dc.exe
-
Size
2.8MB
-
MD5
718b5089505fed92d1a44dc0dbeb36dc
-
SHA1
f4afe14c1b392514350f4495c44f998d3f19128f
-
SHA256
df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056
-
SHA512
4c9d292125343b5b7edfe0051454fff957c040fd822e9b9d32f6a94d654dae778ca6fcb1e269adcb83363b3ade2893ae2ae63558f2906185ed67298c841bc807
-
SSDEEP
49152:xcBszOxu3gCpbwOXh+1b4yFjErlsV6SP5iWyZ9KFFdZyZmj9MJ0yEwJ84vLRaBtf:xSizpbwOxKb4y8sVwWyZ0aZw9zCvLUBN
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
vidar
39.7
706
https://shpak125.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub5
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1088-100-0x0000000000650000-0x0000000000750000-memory.dmp family_vidar behavioral2/memory/1088-101-0x0000000000400000-0x00000000004C0000-memory.dmp family_vidar behavioral2/memory/1088-99-0x0000000002170000-0x000000000220D000-memory.dmp family_vidar behavioral2/memory/1088-130-0x0000000002170000-0x000000000220D000-memory.dmp family_vidar behavioral2/memory/1088-129-0x0000000000400000-0x00000000004C0000-memory.dmp family_vidar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipinfo.io 16 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"1⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0C988377\setup_install.exe"2⤵PID:4760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe3⤵PID:3236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe3⤵PID:3660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe3⤵PID:4060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe3⤵PID:3340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe3⤵PID:3112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe3⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe3⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_3.exesonia_3.exe1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_5.exesonia_5.exe1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exesonia_1.exe1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe" -a2⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_6.exesonia_6.exe1⤵PID:2932
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf2⤵PID:3828
-
C:\Windows\SysWOW64\cmd.execmd3⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_7.exesonia_7.exe1⤵PID:5028
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 301⤵
- Runs ping.exe
PID:2608
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comTriste.exe.com n1⤵PID:3884
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_4.exesonia_4.exe1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_2.exesonia_2.exe1⤵PID:740
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:5116
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:4992