Overview

overview

10

Static

static

3

1b5164f044...8a.exe

windows7-x64

10

1b5164f044...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b5164f044f2c3a2cc01b2448bc0eb8a.exe

  • Size

    2.6MB

  • MD5

    1b5164f044f2c3a2cc01b2448bc0eb8a

  • SHA1

    d1b28f3d20560aa3ae207843b2605d53f645247e

  • SHA256

    318c2194ae43ddccf9ccf21d07087c6059683d3aba0d04f4fd720d503095950d

  • SHA512

    4ad85a2b6b4591ac690a16f778e38a514470fb078948b974e525b0388abc316df75add8df3b02016adae44918450fa9762d2e1887ccf6c64b5bdda10085b056f

  • SSDEEP

    49152:EgBtIhtz0tHnR8mxEYh4YkoVZCiMDf4j/Ee3O9ilydBFgabowS9c/aA:JBt2tzcKmy04K4y/9BydBXokSA

Score
10/10
nullmixersmokeloadervidar933pub5aspackv2backdoordropperevasionstealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://lotzini.xyz/

Extracted

Family

vidar

Version

39.7

Botnet

933

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b5164f044f2c3a2cc01b2448bc0eb8a.exe
    "C:\Users\Admin\AppData\Local\Temp\1b5164f044f2c3a2cc01b2448bc0eb8a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSC9099307\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sahiba_7.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_7.exe
            sahiba_7.exe
            5⤵
            • Executes dropped EXE
            PID:3972
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 472
          4⤵
          • Program crash
          PID:4904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sahiba_6.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sahiba_5.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sahiba_4.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sahiba_3.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4568
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sahiba_2.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c sahiba_1.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3268
  • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_4.exe
    sahiba_4.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3480
  • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_1.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_1.exe" -a
    1⤵
    • Executes dropped EXE
    PID:4700
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452
    1⤵
      PID:1768
    • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_5.exe
      sahiba_5.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5044
    • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_1.exe
      sahiba_1.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3636
    • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_2.exe
      sahiba_2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2648
    • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_3.exe
      sahiba_3.exe
      1⤵
      • Executes dropped EXE
      PID:2408
    • C:\Windows\SysWOW64\rundll32.exe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
      1⤵
      • Loads dropped DLL
      PID:1448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 608
        2⤵
        • Program crash
        PID:4344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1448 -ip 1448
      1⤵
        PID:4892
      • C:\Windows\system32\rUNdlL32.eXe
        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1120
      • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\sahiba_6.exe
        sahiba_6.exe
        1⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        PID:5108
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4008

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\libcurl.dll
        Filesize

        218KB

        MD5

        d09be1f47fd6b827c81a4812b4f7296f

        SHA1

        028ae3596c0790e6d7f9f2f3c8e9591527d267f7

        SHA256

        0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

        SHA512

        857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\libgcc_s_dw2-1.dll
        Filesize

        113KB

        MD5

        9aec524b616618b0d3d00b27b6f51da1

        SHA1

        64264300801a353db324d11738ffed876550e1d3

        SHA256

        59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

        SHA512

        0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\libwinpthread-1.dll
        Filesize

        69KB

        MD5

        1e0d62c34ff2e649ebc5c372065732ee

        SHA1

        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

        SHA256

        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

        SHA512

        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSC9099307\setup_install.exe
        Filesize

        287KB

        MD5

        b107ead1f6283a5015291f05a95e2925

        SHA1

        2ccdbe2634ac6df52d3d92c3cbf050b1eba6a039

        SHA256

        9d8516a59bc0e5dc78c032ae2ab2133eaa17055e76805d036df85c9384d542e9

        SHA512

        d9dea1e930273896a7a87f81b9e1282064f8f620d3438d59136f59b4d7383430fc1c959184f1b4ae7d872573b97e423858ad3ec976a26bc09caeaa549ce7456a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        Filesize

        2.0MB

        MD5

        82c9388e95defb58d34f5f00449bb126

        SHA1

        def45cdb82591c58c8d0c7690999e7c20c1c1d04

        SHA256

        0bf8d9e8459b70568125405f2af2ca8a349b9409c8e4fc52b8a0883547b368c4

        SHA512

        771b1d38a2414603968d7f5cb479a90f790100aaace0242e07838af5699482e510de80a57bc8f44975ce8c63f041e0f58dbaa2d2bc38e78a840531f29c3edbee

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ejwjcet
        Filesize

        169KB

        MD5

        8c9ed3d0b6f68c02cef659fec67e724b

        SHA1

        3526faddd2e9252fac8a3080f71706759d9b1d3c

        SHA256

        8f70ea35a902211a223e2cdf80bc48315a1d383810c8bef68b61027cec80135c

        SHA512

        6a323d57021b5941dc7cf1315ef09b6fcf2759a561df8e75a13ab0c9cb0401116df2340a4c8f13184826a103cb5d6a06190de1769657e7f1dbafaaa01d7fcac8

        Download Submit

      • memory/2408-145-0x0000000002F10000-0x0000000003010000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2408-127-0x0000000002F10000-0x0000000003010000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2408-125-0x0000000000400000-0x0000000002BCA000-memory.dmp

        Filesize

        39.8MB

        Download

      • memory/2408-121-0x0000000002E40000-0x0000000002EDD000-memory.dmp

        Filesize

        628KB

        Download

      • memory/2648-108-0x0000000002C90000-0x0000000002D90000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2648-114-0x0000000004670000-0x0000000004679000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2648-120-0x0000000000400000-0x0000000002B6E000-memory.dmp

        Filesize

        39.4MB

        Download

      • memory/3428-138-0x0000000002F80000-0x0000000002F95000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3452-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3452-72-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-44-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3452-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3452-115-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3452-113-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-116-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3452-117-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3452-119-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3452-118-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/3452-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3452-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3452-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3452-74-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3452-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3452-76-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-75-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3452-73-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3452-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3452-66-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3452-77-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3452-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3452-62-0x0000000000F00000-0x0000000000F8F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3480-98-0x00007FFAE5210000-0x00007FFAE5CD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3480-99-0x0000000000960000-0x0000000000970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3480-141-0x0000000000960000-0x0000000000970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3480-94-0x0000000000160000-0x0000000000168000-memory.dmp

        Filesize

        32KB

        Download

      • memory/5044-101-0x0000000001770000-0x000000000179C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/5044-95-0x00007FFAE5210000-0x00007FFAE5CD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5044-96-0x0000000000F80000-0x0000000000FBE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5044-128-0x00007FFAE5210000-0x00007FFAE5CD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5044-97-0x0000000001760000-0x0000000001766000-memory.dmp

        Filesize

        24KB

        Download

      • memory/5044-100-0x0000000001800000-0x0000000001810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5044-102-0x00000000017A0000-0x00000000017A6000-memory.dmp

        Filesize

        24KB

        Download