Analysis Overview
SHA256
df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056
Threat Level: Known bad
The file 718b5089505fed92d1a44dc0dbeb36dc was found to be: Known bad.
Malicious Activity Summary
Vidar
NullMixer
SmokeLoader
Vidar Stealer
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-26 13:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-26 13:16
Reported
2024-01-06 15:22
Platform
win7-20231215-en
Max time kernel
2s
Max time network
146s
Command Line
Signatures
NullMixer
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe
"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_4.exe
sonia_4.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_7.exe
sonia_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exe
sonia_3.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_5.exe
sonia_5.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
Triste.exe.com n
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_6.exe
sonia_6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 408
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exe
sonia_2.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
sonia_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 952
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | XvFGsHKHPpgkvS.XvFGsHKHPpgkvS | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | pcfixmy-download-96.xyz | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | shpak125.tumblr.com | udp |
| US | 74.114.154.18:443 | shpak125.tumblr.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| NL | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | file.ekkggr3.com | udp |
| US | 8.8.8.8:53 | www.invch.com | udp |
| US | 8.8.8.8:53 | pplzy.pw | udp |
| US | 8.8.8.8:53 | eurekabike.com | udp |
| US | 8.8.8.8:53 | g-farlab.com | udp |
| UA | 194.145.227.159:80 | tcp | |
| RU | 193.56.146.36:80 | tcp | |
| NL | 160.153.249.159:443 | eurekabike.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | conceitosseg.com | udp |
| US | 8.8.8.8:53 | integrasidata.com | udp |
| SG | 172.104.187.4:80 | integrasidata.com | tcp |
| US | 8.8.8.8:53 | ozentekstil.com | udp |
| TR | 89.19.30.75:80 | ozentekstil.com | tcp |
| US | 8.8.8.8:53 | finbelportal.com | udp |
| US | 8.8.8.8:53 | telanganadigital.com | udp |
| US | 192.64.119.13:80 | telanganadigital.com | tcp |
| US | 8.8.8.8:53 | www.telanganadigital.com | udp |
| DE | 91.195.240.19:80 | www.telanganadigital.com | tcp |
| NL | 136.144.41.201:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| N/A | 127.0.0.1:49272 | tcp | |
| N/A | 127.0.0.1:49274 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
Files
memory/2380-37-0x0000000003000000-0x000000000311D000-memory.dmp
memory/2820-57-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2820-68-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2820-67-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2820-76-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2596-125-0x0000000000B30000-0x0000000000B56000-memory.dmp
memory/2596-139-0x0000000000250000-0x000000000026E000-memory.dmp
memory/816-146-0x0000000000680000-0x0000000000780000-memory.dmp
memory/2596-150-0x000000001AEB0000-0x000000001AF30000-memory.dmp
memory/1440-149-0x00000000005C0000-0x00000000006C0000-memory.dmp
memory/816-148-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/816-147-0x0000000002270000-0x000000000230D000-memory.dmp
memory/1440-145-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1440-144-0x0000000000250000-0x0000000000259000-memory.dmp
memory/2596-143-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/2820-75-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2820-74-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2820-73-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2820-72-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2820-70-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2820-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2820-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2820-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2820-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2820-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2820-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2820-59-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2820-58-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2820-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2820-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2820-54-0x0000000000400000-0x000000000051D000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
| MD5 | 8dd627e3bf524f445114ab78b075f31e |
| SHA1 | 6b273b5e9e528d0629e45e28239c8f56bee42469 |
| SHA256 | 91794d66023b7104370d8efabb5c7638c6d4ce4a1cdb070b71142f421d6b3f2c |
| SHA512 | 6b1c66bab60a9fb3affe2fcf7b5cec5dbc0f784f11884a78659fcb2a25350cedc989ef8bcadbc2700b959d3dd0e7f29570a10eb16febfc6c1efe229135d70c02 |
\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
| MD5 | b4a67b6fec9465dd0ec68dd89161871b |
| SHA1 | 96e7f9107283b6bb16a32cfcef54cee69f60fd12 |
| SHA256 | 44bca303abba91a91aae37648d0ed6de6fac5260be3e28eb1a2decd7a6f01aff |
| SHA512 | a7f6c7832537e9a693f672416cfe5e1e3de7d2fd13a6078976154f75d542fdaaf00e417e7e65b7e5609c30807ba99e969f6dbc42229c1e6e3ddbfd5aed5f2565 |
\Users\Admin\AppData\Local\Temp\7zSC4958226\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2820-47-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC4958226\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
\Users\Admin\AppData\Local\Temp\7zSC4958226\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zSC4958226\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zSC4958226\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2380-38-0x0000000003000000-0x000000000311D000-memory.dmp
memory/1440-247-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1212-246-0x0000000002DC0000-0x0000000002DD5000-memory.dmp
memory/2596-281-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/2820-321-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2820-323-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2820-324-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2820-325-0x0000000064940000-0x0000000064959000-memory.dmp
memory/816-327-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2820-326-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2820-322-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/628-331-0x0000000000090000-0x0000000000098000-memory.dmp
memory/628-339-0x0000000000090000-0x0000000000098000-memory.dmp
memory/628-337-0x0000000000090000-0x0000000000098000-memory.dmp
memory/628-334-0x0000000000090000-0x0000000000098000-memory.dmp
memory/628-333-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/816-347-0x0000000000680000-0x0000000000780000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-26 13:16
Reported
2024-01-06 15:22
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
152s
Command Line
Signatures
NullMixer
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe
"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C988377\setup_install.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_3.exe
sonia_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_5.exe
sonia_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe
sonia_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_6.exe
sonia_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_7.exe
sonia_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe" -a
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
Triste.exe.com n
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_4.exe
sonia_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_2.exe
sonia_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | pcfixmy-download-96.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | XvFGsHKHPpgkvS.XvFGsHKHPpgkvS | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 53.96.141.3.in-addr.arpa | udp |
| NL | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | shpak125.tumblr.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 74.114.154.22:443 | shpak125.tumblr.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 136.144.41.201:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
Files
memory/4760-45-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4760-47-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4760-55-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4760-62-0x0000000000400000-0x000000000051D000-memory.dmp
memory/3512-80-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp
memory/3512-81-0x0000000002A20000-0x0000000002A3E000-memory.dmp
memory/3512-86-0x0000000002A40000-0x0000000002A50000-memory.dmp
memory/3512-78-0x0000000000A90000-0x0000000000AB6000-memory.dmp
memory/740-96-0x0000000000530000-0x0000000000630000-memory.dmp
memory/1088-100-0x0000000000650000-0x0000000000750000-memory.dmp
memory/1088-101-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1088-99-0x0000000002170000-0x000000000220D000-memory.dmp
memory/740-98-0x0000000000400000-0x000000000046C000-memory.dmp
memory/740-97-0x00000000004B0000-0x00000000004B9000-memory.dmp
memory/4760-61-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4760-60-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4760-59-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4760-58-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4760-57-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4760-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4760-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3512-116-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp
memory/4760-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4760-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4760-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4760-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4760-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4760-48-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4760-46-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4760-39-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4760-32-0x0000000000400000-0x000000000051D000-memory.dmp
memory/740-123-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4760-124-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1088-130-0x0000000002170000-0x000000000220D000-memory.dmp
memory/1088-129-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/4760-128-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/4760-126-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4760-132-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4760-138-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4760-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp