Overview

overview

10

Static

static

10

c7a2d4deab...ce.exe

windows7-x64

10

c7a2d4deab...ce.exe

windows10-2004-x64

10

Resubmissions

31-12-2023 02:29

231231-cyw53ahfg6 10

31-12-2023 02:09

231231-ck5kaaefd3 10

Analysis

  • max time kernel
    170s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe

  • Size

    37KB

  • MD5

    c921001283ef83c22480a86838160329

  • SHA1

    015b62dc84aac30eadf2228fcc978d7a8adb2950

  • SHA256

    c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce

  • SHA512

    e7967f21f62261fc8fff068e284cebc15bbe2bd3fa02c6b9379c711313c7a1599bf5cb733a9d3342453e6dc16ace411c1cd3dfb6d1028ab4db681b70a70c79b7

  • SSDEEP

    768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Score
10/10
gluptebaredlinesmokeloaderlivetraficup3backdoordropperinfostealerloadertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTrafic

C2

20.79.30.95:13856

Extracted

Family

smokeloader

Botnet

up3

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe
    "C:\Users\Admin\AppData\Local\Temp\c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2912
  • C:\Users\Admin\AppData\Local\Temp\E22D.exe
    C:\Users\Admin\AppData\Local\Temp\E22D.exe
    1⤵
    • Executes dropped EXE
    PID:2872
  • C:\Users\Admin\AppData\Local\Temp\2A53.exe
    C:\Users\Admin\AppData\Local\Temp\2A53.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
      2⤵
      • Executes dropped EXE
      PID:1472
      • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        3⤵
          PID:2292
      • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        2⤵
        • Executes dropped EXE
        PID:2936
        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
          3⤵
            PID:3168
        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
          2⤵
          • Executes dropped EXE
          PID:3036
        • C:\Users\Admin\AppData\Local\Temp\tuc4.exe
          "C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
          2⤵
            PID:4296
          • C:\Users\Admin\AppData\Local\Temp\etopt.exe
            "C:\Users\Admin\AppData\Local\Temp\etopt.exe"
            2⤵
              PID:4664
          • C:\Users\Admin\AppData\Local\Temp\5973.exe
            C:\Users\Admin\AppData\Local\Temp\5973.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
                PID:2164

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            3
            T1012

            System Information Discovery

            3
            T1082

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\2A53.exe
              Filesize

              18.8MB

              MD5

              ed2fd5173af900c56220101ce6648515

              SHA1

              d8783b8dc155314c5680aebddd4e36df7ddfebbf

              SHA256

              ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098

              SHA512

              ef7bac0140e2e492a4d1751d9a6d1fe6ec94649bd6a00006f159a067b774ee8870d567e0fae2e08ebf16db3d11c2dfe2fcf5884d7d27d74fdba34781500f9806

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
              Filesize

              4.2MB

              MD5

              1e40d9a53d79aa807eb8af132f417e53

              SHA1

              9cb867a33a7115138606479baa740632f748ba81

              SHA256

              d803a1507ae95b77349968fa40c8b1a217c23ce7e54cce2e5ef6ce73f7f576ca

              SHA512

              99b9ac8390d5fd7ec87aec16e866db0011ab8ce56d8a5cf54fea97b257a5f3d2520726ce4fb238d57590a412f13d80f1bca24ab5e4250ee23bbf86f3c82925eb

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\5973.exe
              Filesize

              361KB

              MD5

              202cb6c429aa5d518237849225c927c7

              SHA1

              58eb50cb2c82a884c28d708cae6bee126b9a8794

              SHA256

              2215a6899763c1b3ff74af19a9ff8cb11a7032efe2367560aa31811431daff88

              SHA512

              071a348b0fc6ffbc3925e637acce0c0a58f21a90894e6f7e7ff470eb08b8413f4318c2ff679886a9dfb6231382d17d119ff16847efc9173a402fe415acd03860

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
              Filesize

              4.7MB

              MD5

              ed32cf76eba2710c975d6150d10962ea

              SHA1

              bcebdf2f43c646c28221aead68fcb52c86378858

              SHA256

              a2cbb50234c3757ec65ba9eae73a5c2db0509cc829edac4a5648e47de8ce7bda

              SHA512

              ea6d9bd593d199613b1b4d309ec212ab5bf0d7ba18fd12be3643550f50e9c984c52544cdbacb472e07bd1dd6712c27af74d1bd2ff12df08e5e6b4320500ab0ca

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\E22D.exe
              Filesize

              3.8MB

              MD5

              6c495d32cd41ec78c256d1f3dbf53312

              SHA1

              088e77057a7967826bdada4fa494381312a7186a

              SHA256

              de5b12b7d320bb45eabbb5bbcb80668d01b3c3f4bff3b25f418c90e4506b4637

              SHA512

              98c4f2164bcc448a69b40a69f88e24d5fa7db1a6a0f6c3f17c71859290ad5b6aaa09682f069a260ddaf8f362e399381c43e67eacf4bc4485e2a3d7bcb773e791

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
              Filesize

              2.2MB

              MD5

              31f42479194700f598c22ea83fa196c1

              SHA1

              0552ca7766283d7add7c06312ecb5e858d3a2ea0

              SHA256

              098b76a1d654efe963b1d6167dc77d34627b8488d742c49bfb70e8d70b1755a7

              SHA512

              afc83e94dc92453312a4d24193b0d3c17cf37644a5cf25b2c934f27d58968c41a5b176de12c2c5c5c8c1d2fbdb57d235a5073fe304f6b12e11a40e2cb52ee836

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\etopt.exe
              Filesize

              4.3MB

              MD5

              f77abc2f79780428ca514c0041c8b9e9

              SHA1

              2d2bd0cfe56fbcf3c1ca78790927531b5219a5a0

              SHA256

              d02718250398639963db5042756d15f138f518f1f4cea9914a685c7b7e59d325

              SHA512

              b6067652eb8c6778825ecbdd2252115f08167f121a41efaa894facbe71b45d9fc732cb62d1bec843d922e402cca76ffa1523607dba1acec6a806e40bf18002cf

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\etopt.exe
              Filesize

              1.0MB

              MD5

              15832a1857c5c5eccbb4b6d7963e9b8c

              SHA1

              f5d55c4c77727991014e59d82a64f35ea102b432

              SHA256

              6e3b85a62534302accb00d5e993f576c87c7c0c08d8d19070979e26eca3905c4

              SHA512

              6a0bbafb627d328bdff441c9e5d02dbba826dae768b7216f492717d5691e304b69986122400c6eb6d0dc88eae69be0d89b05430c6fb04c579915f32a943e4e59

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\nsh6BCC.tmp\Checker.dll
              Filesize

              41KB

              MD5

              8dcc038ce15a235ea9e22fc9663e4c40

              SHA1

              cc702c128e3035d42220bd504d6c061967d3726f

              SHA256

              64b23aa5ca4e2e516fae3d2480957d6f1065c91caa930e0ffac2bda1cadea76a

              SHA512

              bf81fee736e02680b2d5cd23dd360430b9bd97ad1f75ae9485e82b548f61b83a092c5e17a4d537a06ece6384003aeb9b7b9e7eac4a7ffb2b371160570bce6b81

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\nsz645B.tmp\INetC.dll
              Filesize

              25KB

              MD5

              40d7eca32b2f4d29db98715dd45bfac5

              SHA1

              124df3f617f562e46095776454e1c0c7bb791cc7

              SHA256

              85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

              SHA512

              5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
              Filesize

              283KB

              MD5

              2d24e3baa2a16e47bee10e91381e6391

              SHA1

              013b59b2cd69e93694196dfb34fddc8684cfd619

              SHA256

              ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

              SHA512

              be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\tuc4.exe
              Filesize

              7.8MB

              MD5

              69cf42bbfe7778ce5d750aa4b51aad9d

              SHA1

              56ddf58f4daefcef0426e0dd4e2328ec9b26d103

              SHA256

              66b0db1d4e7e6ba98f066e85a540245f95bc625137c6c5d65d6e21dcdccdbead

              SHA512

              b1bb13b908d11b072395b5e0f1d5c4b7fdf10f72655d6bc05cf39965a38dde71a6e1f00e43ca883dd01033f5696d3ba3e9f9571a7eb2bbfcb54efae34c01572e

              Download Submit
            • memory/2164-40-0x0000000005520000-0x0000000005AC4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/2164-39-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2164-44-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2164-55-0x00000000050E0000-0x00000000050EA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2164-34-0x0000000000400000-0x0000000000452000-memory.dmp
              Filesize

              328KB

              Download
            • memory/2164-42-0x00000000051B0000-0x00000000051C0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2164-41-0x0000000005020000-0x00000000050B2000-memory.dmp
              Filesize

              584KB

              Download
            • memory/2164-98-0x00000000051B0000-0x00000000051C0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2288-35-0x00000000028F0000-0x00000000028F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2288-37-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2288-31-0x0000000005200000-0x0000000005210000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2288-33-0x00000000028F0000-0x00000000028F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2288-24-0x00000000006D0000-0x0000000000730000-memory.dmp
              Filesize

              384KB

              Download
            • memory/2288-32-0x00000000028F0000-0x00000000028F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2288-30-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2288-23-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2872-27-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2872-26-0x0000000000050000-0x0000000000416000-memory.dmp
              Filesize

              3.8MB

              Download
            • memory/2872-43-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2872-115-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2872-28-0x0000000004F90000-0x000000000502C000-memory.dmp
              Filesize

              624KB

              Download
            • memory/2872-45-0x00000000053A0000-0x000000000567A000-memory.dmp
              Filesize

              2.9MB

              Download
            • memory/2872-16-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/2912-2-0x0000000000400000-0x000000000040A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2912-0-0x0000000000400000-0x000000000040A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2936-80-0x00000000005A0000-0x00000000005A9000-memory.dmp
              Filesize

              36KB

              Download
            • memory/2936-79-0x0000000000700000-0x0000000000800000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/3036-105-0x0000000002E30000-0x000000000371B000-memory.dmp
              Filesize

              8.9MB

              Download
            • memory/3036-101-0x0000000002A30000-0x0000000002E2C000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/3036-113-0x0000000000400000-0x0000000000D1C000-memory.dmp
              Filesize

              9.1MB

              Download
            • memory/3168-97-0x0000000000400000-0x0000000000409000-memory.dmp
              Filesize

              36KB

              Download
            • memory/3168-94-0x0000000000400000-0x0000000000409000-memory.dmp
              Filesize

              36KB

              Download
            • memory/3380-1-0x00000000073E0000-0x00000000073F6000-memory.dmp
              Filesize

              88KB

              Download
            • memory/4144-106-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4144-17-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4144-25-0x0000000000430000-0x000000000170E000-memory.dmp
              Filesize

              18.9MB

              Download
            • memory/4144-29-0x0000000075240000-0x00000000759F0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4296-114-0x0000000000400000-0x0000000000414000-memory.dmp
              Filesize

              80KB

              Download
            • memory/4296-126-0x0000000000400000-0x0000000000414000-memory.dmp
              Filesize

              80KB

              Download