Analysis
-
max time kernel
1s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 07:23
Static task
static1
General
-
Target
2d3e5a2a2243d788901fb182156f4031.exe
-
Size
4.5MB
-
MD5
2d3e5a2a2243d788901fb182156f4031
-
SHA1
acf66cababaeba6d72e72d2962405f41052d79a0
-
SHA256
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
-
SHA512
74287eab6153bb074dc6b5c2f25624b70a4bda2eb54a1071a37a4adf0781646b7ecdccfc86e794ce1d6ceeb75b070f0e8ea78c9642fa67147f3c806f03245888
-
SSDEEP
98304:Jwg2hGtNVybTZMYTX1Wnlz1vdN0J5Nfm/Fb0bIQ81NN25Fv:JwvhoybtMYxWZBGBm9b0bIJ5Ol
Malware Config
Extracted
smokeloader
pub5
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
nullmixer
http://sokiran.xyz/
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
redline
DomAni
ergerr3.top:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/564-350-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/564-348-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/564-346-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/564-343-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/564-342-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/564-350-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/564-348-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/564-346-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/564-343-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/564-342-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/memory/772-160-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2896-205-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft -
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1260-168-0x00000000004C0000-0x000000000055D000-memory.dmp family_vidar behavioral1/memory/1260-171-0x0000000000400000-0x00000000004BA000-memory.dmp family_vidar behavioral1/memory/1260-321-0x0000000000400000-0x00000000004BA000-memory.dmp family_vidar behavioral1/memory/1260-352-0x00000000004C0000-0x000000000055D000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS4D468136\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS4D468136\libcurlpp.dll aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
setup_installer.exesetup_install.exepid process 1236 setup_installer.exe 2792 setup_install.exe -
Loads dropped DLL 7 IoCs
Processes:
2d3e5a2a2243d788901fb182156f4031.exesetup_installer.exepid process 2480 2d3e5a2a2243d788901fb182156f4031.exe 1236 setup_installer.exe 1236 setup_installer.exe 1236 setup_installer.exe 1236 setup_installer.exe 1236 setup_installer.exe 1236 setup_installer.exe -
Processes:
resource yara_rule behavioral1/memory/772-160-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/2896-205-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 57 ipinfo.io 58 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 1704 2792 WerFault.exe 276 1260 WerFault.exe sonia_3.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2d3e5a2a2243d788901fb182156f4031.exesetup_installer.exedescription pid process target process PID 2480 wrote to memory of 1236 2480 2d3e5a2a2243d788901fb182156f4031.exe setup_installer.exe PID 2480 wrote to memory of 1236 2480 2d3e5a2a2243d788901fb182156f4031.exe setup_installer.exe PID 2480 wrote to memory of 1236 2480 2d3e5a2a2243d788901fb182156f4031.exe setup_installer.exe PID 2480 wrote to memory of 1236 2480 2d3e5a2a2243d788901fb182156f4031.exe setup_installer.exe PID 2480 wrote to memory of 1236 2480 2d3e5a2a2243d788901fb182156f4031.exe setup_installer.exe PID 2480 wrote to memory of 1236 2480 2d3e5a2a2243d788901fb182156f4031.exe setup_installer.exe PID 2480 wrote to memory of 1236 2480 2d3e5a2a2243d788901fb182156f4031.exe setup_installer.exe PID 1236 wrote to memory of 2792 1236 setup_installer.exe setup_install.exe PID 1236 wrote to memory of 2792 1236 setup_installer.exe setup_install.exe PID 1236 wrote to memory of 2792 1236 setup_installer.exe setup_install.exe PID 1236 wrote to memory of 2792 1236 setup_installer.exe setup_install.exe PID 1236 wrote to memory of 2792 1236 setup_installer.exe setup_install.exe PID 1236 wrote to memory of 2792 1236 setup_installer.exe setup_install.exe PID 1236 wrote to memory of 2792 1236 setup_installer.exe setup_install.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe"3⤵
- Executes dropped EXE
PID:2792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_3.exesonia_3.exe2⤵PID:1260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 9563⤵
- Program crash
PID:276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe1⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_7.exesonia_7.exe2⤵PID:1664
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:1992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 4081⤵
- Program crash
PID:1704
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"1⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\liqian.exe"C:\Users\Admin\AppData\Local\Temp\liqian.exe"1⤵PID:412
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub2⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exeC:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe1⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_5.exesonia_5.exe1⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exesonia_6.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exeC:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe2⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exeC:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe2⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exeC:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe2⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_1.exesonia_1.exe1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_2.exesonia_2.exe1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_4.exesonia_4.exe1⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe1⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe1⤵PID:2980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe1⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe1⤵PID:2952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe1⤵PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
1.4MB
MD57ceaa24847dc2b66a5e2f2da7b395006
SHA1c0b5fa50074094de3386df7ca79d79913946f222
SHA25611136c8f014ae8480c66e4368367ec9b6e8b5fe15f183fc091328eba5113ba26
SHA51271569c0a6e8a91dc31f9b7cba3c4dc6a79292b4d52eab8b80ac656ec9fb26d8168ab12bd15a290f21cbe755a1bfeb561e384681442e2e7fade378ce46ecbac51
-
Filesize
1.4MB
MD58c7d52a9e8f9537f865ecb1a67d642fa
SHA1cc554e957431f678c6895864b689ac1bd4bee94b
SHA2564b5254d98a6461f9568ba6ff292c92b1fae643fa7b31e52e55a177be30e31527
SHA512a4f6e79d8c788f6342654b84829cabbddb6a2085602e525440b9c495c971a81fb3cd371d20d50aea5bbf3311d495d6e8817a9d30066847915d718fb430708eea
-
Filesize
1.2MB
MD5c6ceb6d8ca7f5cf8da77e01af29c49c3
SHA1f84e5a18016307fd895d520add4b27d183602a8b
SHA2563d28c255eb311fced451d08caea9c586a9c97e20873f0ff34797d6ccf6c7fc67
SHA512f2c06916fa46e039115a4e4f3fa66bbe24d0ed43b02ac5aa1dad8cfd0313279279106494816ea88dc92c78ab95689312bf524a913481c523443148c627aa4b2b
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
2.1MB
MD50b2577405545f91ec75e1bdaf181350e
SHA1ce1a36076306c08573e29b9e7bdf92164d566f84
SHA256a89b9999f86cecf8ebe5c547168395e681878964788695e61bb7e4172ec3cf99
SHA5129dfe6405e12f7c08dbc0edbb17e97d926064e2f5dcd4e03e3c2cecb5d5eeee88337c91f489a9e51d9a870200806b4bd25691b71bd7ff74a3df8c365f026c79d6
-
Filesize
894KB
MD51572a2cb9432cc73740411e2dda1207c
SHA130f89134322ef297b27c24cc4d9689bdcbe4a636
SHA25664a8aeae9d19ffcb6d4a7c0f7c7682735dd8e0096d87853c0e530ecf645d8297
SHA512024c9ad686d5d5ad522acc8860715fcdd479028694445290bb814f623ce8e6429a81eac5afb02e13a7efafe714e83d1c3c4c7dd64b2a4c0e87af5725a897e06e
-
Filesize
2.0MB
MD5938386f79c5f46c6c06b1bf2a2d6aa92
SHA173b3f9001cd9e6f6c6915e4e4793abfc2db8aa56
SHA25676f49a6e2f929bd46a3a3cb0752edcbfba5edbc435e93601efea79adabd75cdb
SHA512895973de84e98814a1e9b28c1ba919ea6049512c0c43ed9fc66495f77034eedb71384e3ac8f697ae2483eaa331344763390313d4d5fda530704d1e7d25760382
-
Filesize
1.9MB
MD522af8065cddd43858d2d52069fb77cca
SHA1d33d74f357721f3dc5a9e174c53bff2bc5edf180
SHA256b445658cbb124e55048cbc88137bfe255dc3bf319036fec74fdf5cb0ac46f80d
SHA512e0eedcc68e57c26759e9eef51f6883af4f2e8bf41056fe195cad456ea61de35c0c9228dc12f54d84c08a39eaa5c484a402a260054a4ebc96a7d08b337bf0f5af
-
Filesize
1.9MB
MD5e80fb71c9043b2750a85fd7614f7c8ab
SHA1a8c2933ebf39f6cb0199ee7d885c6f7fc76f50fb
SHA25637e471f955a3ba92ba8691d85778fb80d0c2104eb83808cb2aed8717b359010e
SHA5123b1dc5ed4667536369db4f919a271d395500e4ca88179a12b303a77920cbe20fb2c24c809eae2accb6ec82dc2b697e1479814fd9231dfe13452e7f9d27a02bdd