Malware Analysis Report

2024-10-19 02:14

Sample ID 231231-h73l4afcen
Target 2d3e5a2a2243d788901fb182156f4031
SHA256 a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
Tags
nullmixer redline sectoprat smokeloader vidar 706 domani pub5 aspackv2 backdoor dropper infostealer rat stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8

Threat Level: Known bad

The file 2d3e5a2a2243d788901fb182156f4031 was found to be: Known bad.

Malicious Activity Summary

nullmixer redline sectoprat smokeloader vidar 706 domani pub5 aspackv2 backdoor dropper infostealer rat stealer trojan upx

Vidar

RedLine payload

RedLine

NullMixer

SmokeLoader

SectopRAT payload

SectopRAT

Nirsoft

Vidar Stealer

Loads dropped DLL

UPX packed file

ASPack v2.12-2.42

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 07:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 07:23

Reported

2024-01-03 17:44

Platform

win7-20231215-en

Max time kernel

1s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"

Signatures

NullMixer

dropper nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2480 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2480 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2480 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2480 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2480 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2480 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1236 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
PID 1236 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
PID 1236 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
PID 1236 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
PID 1236 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
PID 1236 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe
PID 1236 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe

"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 408

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\liqian.exe

"C:\Users\Admin\AppData\Local\Temp\liqian.exe"

C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe

"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_5.exe

sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_1.exe

sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_2.exe

sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_4.exe

sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\sonia_6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 956

Network

Country Destination Domain Proto
US 8.8.8.8:53 sokiran.xyz udp
US 8.8.8.8:53 ip-api.com udp
NL 136.144.41.133:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 email.yg9.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 videoconvert-download38.xyz udp
US 8.8.8.8:53 sergeevih43.tumblr.com udp
US 74.114.154.22:443 sergeevih43.tumblr.com tcp
US 8.8.8.8:53 www.facebook.com udp
IE 163.70.147.35:443 www.facebook.com tcp
US 107.178.223.183:443 videoconvert-download38.xyz tcp
IE 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
US 13.248.169.48:80 uehge4g6gh.2ihsfa.com tcp
US 107.178.223.183:443 videoconvert-download38.xyz tcp
US 8.8.8.8:53 ergerr3.top udp
NL 136.144.41.201:80 tcp
US 8.8.8.8:53 uyg5wye.2ihsfa.com udp
US 13.248.169.48:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 ppcspb.com udp
US 8.8.8.8:53 mebbing.com udp
US 8.8.8.8:53 twcamel.com udp
US 107.178.223.183:443 videoconvert-download38.xyz tcp
US 107.178.223.183:443 videoconvert-download38.xyz tcp
US 8.8.8.8:53 howdycash.com udp
CA 23.227.38.32:80 howdycash.com tcp
US 107.178.223.183:443 videoconvert-download38.xyz tcp
US 107.178.223.183:443 videoconvert-download38.xyz tcp
US 107.178.223.183:443 videoconvert-download38.xyz tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 lahuertasonora.com udp
US 8.8.8.8:53 kpotiques.com udp
US 104.253.227.240:80 kpotiques.com tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
NL 212.193.30.115:80 tcp
NL 212.193.30.115:80 tcp
NL 212.193.30.115:80 tcp
US 13.248.169.48:80 uyg5wye.2ihsfa.com tcp
NL 212.193.30.115:80 tcp
NL 212.193.30.115:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 938386f79c5f46c6c06b1bf2a2d6aa92
SHA1 73b3f9001cd9e6f6c6915e4e4793abfc2db8aa56
SHA256 76f49a6e2f929bd46a3a3cb0752edcbfba5edbc435e93601efea79adabd75cdb
SHA512 895973de84e98814a1e9b28c1ba919ea6049512c0c43ed9fc66495f77034eedb71384e3ac8f697ae2483eaa331344763390313d4d5fda530704d1e7d25760382

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 8c7d52a9e8f9537f865ecb1a67d642fa
SHA1 cc554e957431f678c6895864b689ac1bd4bee94b
SHA256 4b5254d98a6461f9568ba6ff292c92b1fae643fa7b31e52e55a177be30e31527
SHA512 a4f6e79d8c788f6342654b84829cabbddb6a2085602e525440b9c495c971a81fb3cd371d20d50aea5bbf3311d495d6e8817a9d30066847915d718fb430708eea

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 c6ceb6d8ca7f5cf8da77e01af29c49c3
SHA1 f84e5a18016307fd895d520add4b27d183602a8b
SHA256 3d28c255eb311fced451d08caea9c586a9c97e20873f0ff34797d6ccf6c7fc67
SHA512 f2c06916fa46e039115a4e4f3fa66bbe24d0ed43b02ac5aa1dad8cfd0313279279106494816ea88dc92c78ab95689312bf524a913481c523443148c627aa4b2b

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1572a2cb9432cc73740411e2dda1207c
SHA1 30f89134322ef297b27c24cc4d9689bdcbe4a636
SHA256 64a8aeae9d19ffcb6d4a7c0f7c7682735dd8e0096d87853c0e530ecf645d8297
SHA512 024c9ad686d5d5ad522acc8860715fcdd479028694445290bb814f623ce8e6429a81eac5afb02e13a7efafe714e83d1c3c4c7dd64b2a4c0e87af5725a897e06e

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e80fb71c9043b2750a85fd7614f7c8ab
SHA1 a8c2933ebf39f6cb0199ee7d885c6f7fc76f50fb
SHA256 37e471f955a3ba92ba8691d85778fb80d0c2104eb83808cb2aed8717b359010e
SHA512 3b1dc5ed4667536369db4f919a271d395500e4ca88179a12b303a77920cbe20fb2c24c809eae2accb6ec82dc2b697e1479814fd9231dfe13452e7f9d27a02bdd

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 22af8065cddd43858d2d52069fb77cca
SHA1 d33d74f357721f3dc5a9e174c53bff2bc5edf180
SHA256 b445658cbb124e55048cbc88137bfe255dc3bf319036fec74fdf5cb0ac46f80d
SHA512 e0eedcc68e57c26759e9eef51f6883af4f2e8bf41056fe195cad456ea61de35c0c9228dc12f54d84c08a39eaa5c484a402a260054a4ebc96a7d08b337bf0f5af

memory/2792-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2792-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2792-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2792-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1292-133-0x0000000002740000-0x0000000002841000-memory.dmp

memory/1292-134-0x0000000000770000-0x00000000007CD000-memory.dmp

memory/864-135-0x0000000000FB0000-0x0000000000FFC000-memory.dmp

memory/864-137-0x0000000000FB0000-0x0000000000FFC000-memory.dmp

memory/864-136-0x0000000001F40000-0x0000000001FB1000-memory.dmp

memory/1664-141-0x0000000001220000-0x00000000013E0000-memory.dmp

memory/1292-142-0x0000000000770000-0x00000000007CD000-memory.dmp

memory/1992-143-0x0000000000060000-0x00000000000AC000-memory.dmp

memory/2880-140-0x0000000000280000-0x00000000002E4000-memory.dmp

memory/1992-147-0x0000000000500000-0x0000000000571000-memory.dmp

memory/864-151-0x0000000001F40000-0x0000000001FB1000-memory.dmp

memory/2100-157-0x0000000000440000-0x000000000049B000-memory.dmp

memory/772-161-0x0000000000240000-0x000000000029B000-memory.dmp

memory/772-160-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2100-158-0x0000000000440000-0x000000000049B000-memory.dmp

memory/1260-167-0x0000000000570000-0x0000000000670000-memory.dmp

memory/1260-168-0x00000000004C0000-0x000000000055D000-memory.dmp

memory/2296-197-0x00000000003D0000-0x00000000003D9000-memory.dmp

memory/864-208-0x0000000001000000-0x000000000104C000-memory.dmp

memory/2252-212-0x00000000001B0000-0x00000000001D2000-memory.dmp

memory/3024-211-0x00000000007F0000-0x000000000084D000-memory.dmp

memory/3024-210-0x0000000002790000-0x0000000002891000-memory.dmp

memory/2252-213-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

memory/864-218-0x0000000001000000-0x000000000104C000-memory.dmp

memory/2792-219-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2252-220-0x000000001AD70000-0x000000001ADF0000-memory.dmp

memory/2792-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/864-216-0x0000000001C30000-0x0000000001CA1000-memory.dmp

memory/1860-215-0x0000000000350000-0x00000000003AB000-memory.dmp

memory/2252-214-0x00000000003F0000-0x000000000040E000-memory.dmp

memory/864-206-0x0000000001C30000-0x0000000001CA1000-memory.dmp

memory/2896-205-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2296-202-0x0000000000400000-0x0000000000466000-memory.dmp

memory/864-203-0x0000000001000000-0x000000000104C000-memory.dmp

memory/2296-196-0x0000000000240000-0x0000000000340000-memory.dmp

memory/2792-195-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2792-194-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1260-171-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2792-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2792-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2792-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2792-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2792-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2792-67-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2792-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2792-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2792-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS4D468136\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe

MD5 7ceaa24847dc2b66a5e2f2da7b395006
SHA1 c0b5fa50074094de3386df7ca79d79913946f222
SHA256 11136c8f014ae8480c66e4368367ec9b6e8b5fe15f183fc091328eba5113ba26
SHA512 71569c0a6e8a91dc31f9b7cba3c4dc6a79292b4d52eab8b80ac656ec9fb26d8168ab12bd15a290f21cbe755a1bfeb561e384681442e2e7fade378ce46ecbac51

\Users\Admin\AppData\Local\Temp\7zS4D468136\setup_install.exe

MD5 0b2577405545f91ec75e1bdaf181350e
SHA1 ce1a36076306c08573e29b9e7bdf92164d566f84
SHA256 a89b9999f86cecf8ebe5c547168395e681878964788695e61bb7e4172ec3cf99
SHA512 9dfe6405e12f7c08dbc0edbb17e97d926064e2f5dcd4e03e3c2cecb5d5eeee88337c91f489a9e51d9a870200806b4bd25691b71bd7ff74a3df8c365f026c79d6

memory/1204-259-0x0000000002EF0000-0x0000000002F06000-memory.dmp

memory/2296-260-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2792-318-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2100-323-0x0000000000440000-0x000000000049B000-memory.dmp

memory/1992-322-0x0000000000500000-0x0000000000571000-memory.dmp

memory/1260-321-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2792-315-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2100-339-0x0000000000440000-0x000000000049B000-memory.dmp

memory/564-350-0x0000000000400000-0x000000000041E000-memory.dmp

memory/564-348-0x0000000000400000-0x000000000041E000-memory.dmp

memory/564-346-0x0000000000400000-0x000000000041E000-memory.dmp

memory/564-344-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/564-343-0x0000000000400000-0x000000000041E000-memory.dmp

memory/564-342-0x0000000000400000-0x000000000041E000-memory.dmp

memory/564-341-0x0000000000400000-0x000000000041E000-memory.dmp

memory/564-340-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1260-352-0x00000000004C0000-0x000000000055D000-memory.dmp

memory/1260-351-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2252-360-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

memory/1860-361-0x0000000000350000-0x00000000003AB000-memory.dmp

memory/864-369-0x0000000001000000-0x000000000104C000-memory.dmp

memory/2252-370-0x000000001AD70000-0x000000001ADF0000-memory.dmp

memory/2252-457-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 07:23

Reported

2024-01-03 17:45

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"

Signatures

NullMixer

dropper nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe

"C:\Users\Admin\AppData\Local\Temp\2d3e5a2a2243d788901fb182156f4031.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_5.exe

sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\liqian.exe

"C:\Users\Admin\AppData\Local\Temp\liqian.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5020 -ip 5020

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 544

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 620 -ip 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 608

C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe

"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_4.exe

sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_6.exe

sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_2.exe

sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS84280507\sonia_1.exe

sonia_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS84280507\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS84280507\setup_install.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5292 -ip 5292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3448 -ip 3448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1044

Network

Country Destination Domain Proto
US 8.8.8.8:53 sokiran.xyz udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 136.144.41.133:80 tcp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 udp
US 104.155.138.21:443 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
IE 163.70.147.35:443 www.facebook.com tcp
IE 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 sergeevih43.tumblr.com udp
US 74.114.154.22:443 sergeevih43.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 104.155.138.21:443 tcp
US 8.8.8.8:53 uyg5wye.2ihsfa.com udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 13.248.169.48:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 uehge4g6gh.2ihsfa.com udp
US 8.8.8.8:53 ergerr3.top udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 13.248.169.48:80 uehge4g6gh.2ihsfa.com tcp
US 8.8.8.8:53 ergerr3.top udp
IE 20.82.154.241:443 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 136.144.41.201:80 tcp
US 8.8.8.8:53 ppcspb.com udp
US 8.8.8.8:53 mebbing.com udp
US 8.8.8.8:53 twcamel.com udp
US 104.155.138.21:443 tcp
US 104.155.138.21:443 tcp
US 8.8.8.8:53 howdycash.com udp
CA 23.227.38.32:80 howdycash.com tcp
US 104.155.138.21:443 tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
NL 212.193.30.115:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 ergerr3.top udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 ergerr3.top udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 172.67.132.113:443 iplogger.org tcp
GB 87.248.205.0:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 ergerr3.top udp
NL 212.193.30.115:80 tcp
US 8.8.8.8:53 ergerr3.top udp
US 13.248.169.48:80 uehge4g6gh.2ihsfa.com tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 ergerr3.top udp
FR 20.199.58.43:443 tcp
FR 20.199.58.43:443 tcp
FR 20.199.58.43:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.201:80 tcp
GB 96.17.178.201:80 tcp
NL 212.193.30.115:80 tcp
GB 96.17.178.201:80 tcp
IE 20.166.126.56:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 ergerr3.top udp
GB 23.44.234.16:80 tcp

Files

memory/5020-62-0x0000000064940000-0x0000000064959000-memory.dmp

memory/5020-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/6040-87-0x0000000000840000-0x00000000008A4000-memory.dmp

memory/6132-88-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/6040-91-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/6132-85-0x00000000004D0000-0x0000000000690000-memory.dmp

memory/6132-133-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/1936-145-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1936-153-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2576-174-0x0000000000400000-0x000000000045B000-memory.dmp

memory/6012-154-0x0000000002A80000-0x0000000002A90000-memory.dmp

memory/5020-179-0x0000000000400000-0x000000000051A000-memory.dmp

memory/5020-180-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1324-188-0x0000000005A60000-0x0000000006078000-memory.dmp

memory/1324-197-0x00000000056B0000-0x00000000056EC000-memory.dmp

memory/1324-198-0x0000000005860000-0x0000000005870000-memory.dmp

memory/1324-199-0x00000000056F0000-0x000000000573C000-memory.dmp

memory/1324-194-0x0000000005610000-0x0000000005622000-memory.dmp

memory/5292-206-0x00000000006D0000-0x00000000006D9000-memory.dmp

memory/3448-210-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/5292-209-0x0000000000400000-0x0000000000466000-memory.dmp

memory/5292-208-0x0000000000790000-0x0000000000890000-memory.dmp

memory/1324-207-0x0000000006080000-0x000000000618A000-memory.dmp

memory/3448-205-0x00000000020C0000-0x000000000215D000-memory.dmp

memory/3448-201-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/6040-189-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/1324-191-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/5020-190-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5020-187-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/5020-183-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1324-182-0x0000000000400000-0x000000000041E000-memory.dmp

memory/5020-181-0x0000000064940000-0x0000000064959000-memory.dmp

memory/6012-146-0x0000000002A60000-0x0000000002A7E000-memory.dmp

memory/6012-135-0x0000000000AE0000-0x0000000000B02000-memory.dmp

memory/6012-137-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

memory/2244-228-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2936-227-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2936-229-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2244-217-0x0000000000400000-0x0000000000422000-memory.dmp

memory/5020-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/5020-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5020-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5020-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5020-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5020-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5020-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5020-60-0x00000000007B0000-0x000000000083F000-memory.dmp

memory/5020-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5020-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5020-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/6012-237-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

memory/3420-241-0x0000000002C80000-0x0000000002C96000-memory.dmp

memory/5292-244-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3448-246-0x00000000020C0000-0x000000000215D000-memory.dmp

memory/3448-245-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1324-248-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/6012-247-0x0000000002A80000-0x0000000002A90000-memory.dmp

memory/1324-249-0x0000000005860000-0x0000000005870000-memory.dmp

C:\Users\Admin\AppData\Roaming\raeajir

MD5 3c5befb2d5ea426202a35707016d4996
SHA1 bc0bfa794f196db39697ffc5d91cc4f331b0ebc4
SHA256 1d8900c446e33374b82a8849eb66a0af2df370eec99864826e69c671745536dd
SHA512 40c3f5aaefb3154efd0a44931fb4c50b54db77da177d6926015359e6e5f2dd51cc11dbf0b90759bcc91300079372d5f9d9751972b1153ad8dbb990220166ebf3

memory/6012-254-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp