Resubmissions
16-02-2024 02:54
240216-dd14ysfc71 1016-02-2024 01:10
240216-bjwqbaea93 1009-02-2024 16:00
240209-tfl1taed86 1009-02-2024 13:49
240209-q4sxgsbf9v 1006-02-2024 16:58
240206-vg3kmadccn 1006-02-2024 00:32
240206-avq4jadbfj 10Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
09-02-2024 16:00
General
-
Target
4363463463464363463463463.bin.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
smokeloader
pub2
Extracted
smokeloader
2022
http://vatra.at/tmp/
http://spbdg.ru/tmp/
http://skinndia.com/tmp/
http://cracker.biz/tmp/
http://piratia-life.ru/tmp/
http://piratia.su/tmp/
Signatures
-
Detect ZGRat V1 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe"C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe"C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\autoit.exe"C:\Users\Admin\AppData\Local\Temp\Files\autoit.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
487KB
MD59cf763a5d12dde1b54f799e80d80ae56
SHA1ba6a86893caeb00fe1c08956978839d234b9a69a
SHA256a5c4da2138f831bd41a9dc971b86226bf5907d69a7df2ad2cbf7e64dc5fd22a8
SHA512cb34e2688881a6221358b55ad0c07cc6219396d0858ef2e29c007e470013c6999c5f1666b3625d741e7f704d1782ccff7911fc169cf69609fb40cc888f3c766d
-
Filesize
701KB
MD502f44cffa5036a4bfcaf407fa51333b3
SHA1d6def81060114100e1ca100dc37e28043058db22
SHA25657697ced67e28121e39b58804319c86d7313a450af4497f0e444c28bcc1e1aaa
SHA5126f9fa79054174c9db0795aec7ab77f2d6db9ec7ba0cd5ebea14c4c6d2ed9373038830a81d92fe1ce95189fd67e3529ae2d72cf9871695937e5933f5ce9796bbb
-
Filesize
1.0MB
MD58fa52f316c393496f272357191db6deb
SHA1b1ff3d48a3946ca7786a84e4a832617cd66fa3b9
SHA25692c6531a09180fae8b2aae7384b4cea9986762f0c271b35da09b4d0e733f9f45
SHA512c81da97d6980d6a5aa612070477950a1386239bb919e762f7870bccd459a03da48f8f169910b91f3827c6cfef50471569c9e0c9ff2ceb897904d81840c087d51
-
Filesize
187KB
MD570499efb7b7b759215c7d7b598a88158
SHA187efc57699c6f0a3659c1d48367833fa6d5b5d14
SHA256b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c
SHA512e864e2d64daeaf56cc32c81a30abde38b6e55b0f6e2815129740f0449b9ed5b91a5fb8d1a03549dbacede99af7a038b4eaef8f3c369515e29179df702970f1d5
-
Filesize
412KB
MD53c9da20ad78d24df53b661b7129959e0
SHA1e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA2562fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA5121a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4
-
Filesize
432KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
6.1MB
-
Filesize
360KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.7MB