Analysis
-
max time kernel
0s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 04:26
Static task
static1
General
-
Target
281c7ba6787d047d9eff840c79c19816.exe
-
Size
4.0MB
-
MD5
281c7ba6787d047d9eff840c79c19816
-
SHA1
1b41a63ce815c055038824ecd67fb606a2210fc7
-
SHA256
aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e
-
SHA512
8ba03a346dc3246abd8af0768f20c71cf875de6554dfa961c17de373fe28f6252a3c263238760148a208d830e53fb399b8bafceaa2f678c94b891a08b517dfc4
-
SSDEEP
98304:JH4fPHwHNLfwCFx7zWBBWUhT0BRQf6608yFLBiMt/cwC:JYnQtz/WBcEIKVML1qwC
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
smokeloader
pub5
Extracted
vidar
39.9
706
https://prophefliloc.tumblr.com/
-
profile_id
706
Extracted
redline
OLKani
ataninamei.xyz:80
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1344-208-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1344-206-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1344-204-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1344-201-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1344-200-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1344-208-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1344-206-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1344-204-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1344-201-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1344-200-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Nirsoft 5 IoCs
Processes:
resource yara_rule behavioral1/memory/632-192-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1532-196-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2776-222-0x0000000000410000-0x000000000046B000-memory.dmp Nirsoft behavioral1/memory/2244-220-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1252-215-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft -
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2792-155-0x0000000003090000-0x000000000312D000-memory.dmp family_vidar behavioral1/memory/2792-170-0x0000000000400000-0x0000000002CC3000-memory.dmp family_vidar behavioral1/memory/2792-172-0x0000000000240000-0x0000000000340000-memory.dmp family_vidar behavioral1/memory/2792-326-0x0000000000400000-0x0000000002CC3000-memory.dmp family_vidar -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\7zSCC707336\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC707336\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSCC707336\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
setup_installer.exepid process 1996 setup_installer.exe -
Loads dropped DLL 5 IoCs
Processes:
281c7ba6787d047d9eff840c79c19816.exesetup_installer.exepid process 1748 281c7ba6787d047d9eff840c79c19816.exe 1996 setup_installer.exe 1996 setup_installer.exe 1996 setup_installer.exe 1996 setup_installer.exe -
Processes:
resource yara_rule behavioral1/memory/632-192-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/1532-196-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2244-220-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/1252-215-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ipinfo.io 19 ip-api.com 38 api.db-ip.com 42 api.db-ip.com 3 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 2532 2564 WerFault.exe 2708 2792 WerFault.exe sonia_3.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2028 schtasks.exe 2888 schtasks.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
281c7ba6787d047d9eff840c79c19816.exesetup_installer.exedescription pid process target process PID 1748 wrote to memory of 1996 1748 281c7ba6787d047d9eff840c79c19816.exe setup_installer.exe PID 1748 wrote to memory of 1996 1748 281c7ba6787d047d9eff840c79c19816.exe setup_installer.exe PID 1748 wrote to memory of 1996 1748 281c7ba6787d047d9eff840c79c19816.exe setup_installer.exe PID 1748 wrote to memory of 1996 1748 281c7ba6787d047d9eff840c79c19816.exe setup_installer.exe PID 1748 wrote to memory of 1996 1748 281c7ba6787d047d9eff840c79c19816.exe setup_installer.exe PID 1748 wrote to memory of 1996 1748 281c7ba6787d047d9eff840c79c19816.exe setup_installer.exe PID 1748 wrote to memory of 1996 1748 281c7ba6787d047d9eff840c79c19816.exe setup_installer.exe PID 1996 wrote to memory of 2564 1996 setup_installer.exe setup_install.exe PID 1996 wrote to memory of 2564 1996 setup_installer.exe setup_install.exe PID 1996 wrote to memory of 2564 1996 setup_installer.exe setup_install.exe PID 1996 wrote to memory of 2564 1996 setup_installer.exe setup_install.exe PID 1996 wrote to memory of 2564 1996 setup_installer.exe setup_install.exe PID 1996 wrote to memory of 2564 1996 setup_installer.exe setup_install.exe PID 1996 wrote to memory of 2564 1996 setup_installer.exe setup_install.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe"C:\Users\Admin\AppData\Local\Temp\281c7ba6787d047d9eff840c79c19816.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCC707336\setup_install.exe"3⤵PID:2564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe1⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_5.exesonia_5.exe2⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_1.exe" -a1⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\is-R0QKR.tmp\sonia_5.tmp"C:\Users\Admin\AppData\Local\Temp\is-R0QKR.tmp\sonia_5.tmp" /SL5="$201D8,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_5.exe"1⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"1⤵PID:832
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit2⤵PID:2296
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"2⤵PID:1060
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵PID:1160
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵PID:864
-
C:\Windows\winnetdriv.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704172488 02⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_8.exeC:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_8.exe1⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_9.exesonia_9.exe1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"2⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:1252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 4241⤵
- Program crash
PID:2532
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_3.exesonia_3.exe1⤵PID:2792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 9562⤵
- Program crash
PID:2708
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_7.exesonia_7.exe1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_8.exesonia_8.exe1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_4.exesonia_4.exe1⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_6.exesonia_6.exe1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_1.exesonia_1.exe1⤵PID:1668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_9.exe1⤵PID:1896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_8.exe1⤵PID:2176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\7zSCC707336\sonia_2.exesonia_2.exe1⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe1⤵PID:1912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe1⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe1⤵PID:1992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe1⤵PID:2812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe1⤵PID:960
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'1⤵
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'1⤵
- Creates scheduled task(s)
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
287KB
MD57a82c73b9a1b6bf3d2aefe2f3740a564
SHA11debd41cb9589c9ebc50b0e370d6d8da565be370
SHA25635a72b874265e4109dd7d94a37c4417b8fb71a158c4ad10100ef112480b4a8bf
SHA51261c110e3f12b31fb429afc2fc5b074ab6d4665a8e1b716660bc3f4ef8360ab4187d6137b553430e104998307a849ac9a5db206a2ac20665e890e9bb4c88d6787
-
Filesize
1024KB
MD58852c87022bfd885eee1f5042c174e69
SHA1e533583663ea373ed0f2373429eebb76095eafdc
SHA256b74941b7ca4073da3811c43f460a34cf8d0961b28184dc8587393a2ae712250a
SHA5126172e120caad1edd2ca931e4b32b7bffac7af68efd3d696a7d51ae00189de43bed2ef3fe2b244e9652cc42ec722dc61bd3c325e95d18635cc6b77495490b5da7
-
Filesize
92KB
MD5673050d625365311e9df1a05df0f7dcb
SHA16573c9cf66718492b2b4b72fd53add9a88ac7fce
SHA2561bc677aa959a8cbf2ea05eabdd1694c7bd03998e31ab19143b17bb65fcfd8e18
SHA51286e9d8091281cf0387aa5ef48f0193cb5cf644f9c485367e411e3ab50a8440e26c1712f5f06180cf72b09feadc2ae10c4df1698de4088f755a1d3590c80a868b
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
149KB
MD5f50e3c9dab41fff49ef3ef06d0df3fb3
SHA1cc81aead7c570cd4d66c8af19160271481aee2bb
SHA2560b4ffa804ab4a271df8df1f8ebda7b6dfbcf0ed430711293f7126d5ea0379fcd
SHA51205a795c78cab3ba94dc8cca39b7cefd0dba67779bb73d9209b9f83db903be7dc9b3cc991ac373f5a5a86715247866fe5155a2f6ee7ea54b2ddf77aa17ab70c40
-
Filesize
142KB
MD55edda3e85ac52ccfd566fe8fb4cf39eb
SHA18afc0f9b3c121b02d5ea2089bfa4a0e52d1be0c1
SHA256c812b0194edb10563ab2776b2f1355aa347006542bd0179e1287a06c86440011
SHA51246b03ebb82e03ae86497ffcdec017237dec4a638d90dbe3a06d259802f0418af473510fa23735b55ecc72bbcde83f7c4d153e3c9cc82fbf1121aded9e056c43a
-
Filesize
193KB
MD51c54b87d200630284ab2e20dfce4c5d2
SHA108823afa8766ae3f1414c25fbb4560e169125174
SHA2567f03656ca0b99bd4f1fe6530fd9b83d0d9206a456edb279badd19f19f6802bf6
SHA512ddc472bffda4f8810bad287de6b977d21651cb886b51f0aa955ef97f7359b68b6810d588e6ded59e82cb61a4c01ea464db633eebde510f3897dba8c94248eb56
-
Filesize
513KB
MD5ec4e09376dc16ba224e302c6539c2535
SHA1cf054983294975b1c47ae9e415675b7f594935fb
SHA2560a52e61c606002947c4b336469636f643c55fdf752a919c182c051f85660d248
SHA512184281cc7921d44c1671ad8bcbf8420400bf1e1945f861c99ca4264514afd1f5a2ea90a5b8dd8f860505b51f61ff56cfe9b54900595ba5f8c995e71f29edbcc3