Overview

overview

10

Static

static

3

4363463463...in.exe

windows10-2004-x64

10

Resubmissions

16-02-2024 02:54

240216-dd14ysfc71 10

16-02-2024 01:10

240216-bjwqbaea93 10

09-02-2024 16:00

240209-tfl1taed86 10

09-02-2024 13:49

240209-q4sxgsbf9v 10

06-02-2024 16:58

240206-vg3kmadccn 10

06-02-2024 00:32

240206-avq4jadbfj 10

Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-02-2024 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4363463463464363463463463.bin.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
redlinesmokeloaderzgratpub2backdoorinfostealerrattrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2022

C2

http://vatra.at/tmp/

http://spbdg.ru/tmp/

http://skinndia.com/tmp/

http://cracker.biz/tmp/

http://piratia-life.ru/tmp/

http://piratia.su/tmp/
rc4.i32
rc4.i32

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:5020
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:388
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
              PID:3696
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              3⤵
                PID:1244
            • C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe
              "C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe"
              2⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:3508
            • C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe
              "C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe"
              2⤵
              • Executes dropped EXE
              PID:4680
            • C:\Users\Admin\AppData\Local\Temp\Files\autoit.exe
              "C:\Users\Admin\AppData\Local\Temp\Files\autoit.exe"
              2⤵
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:1824

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe
            Filesize

            487KB

            MD5

            9cf763a5d12dde1b54f799e80d80ae56

            SHA1

            ba6a86893caeb00fe1c08956978839d234b9a69a

            SHA256

            a5c4da2138f831bd41a9dc971b86226bf5907d69a7df2ad2cbf7e64dc5fd22a8

            SHA512

            cb34e2688881a6221358b55ad0c07cc6219396d0858ef2e29c007e470013c6999c5f1666b3625d741e7f704d1782ccff7911fc169cf69609fb40cc888f3c766d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe
            Filesize

            701KB

            MD5

            02f44cffa5036a4bfcaf407fa51333b3

            SHA1

            d6def81060114100e1ca100dc37e28043058db22

            SHA256

            57697ced67e28121e39b58804319c86d7313a450af4497f0e444c28bcc1e1aaa

            SHA512

            6f9fa79054174c9db0795aec7ab77f2d6db9ec7ba0cd5ebea14c4c6d2ed9373038830a81d92fe1ce95189fd67e3529ae2d72cf9871695937e5933f5ce9796bbb

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Files\autoit.exe
            Filesize

            1.0MB

            MD5

            8fa52f316c393496f272357191db6deb

            SHA1

            b1ff3d48a3946ca7786a84e4a832617cd66fa3b9

            SHA256

            92c6531a09180fae8b2aae7384b4cea9986762f0c271b35da09b4d0e733f9f45

            SHA512

            c81da97d6980d6a5aa612070477950a1386239bb919e762f7870bccd459a03da48f8f169910b91f3827c6cfef50471569c9e0c9ff2ceb897904d81840c087d51

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe
            Filesize

            187KB

            MD5

            70499efb7b7b759215c7d7b598a88158

            SHA1

            87efc57699c6f0a3659c1d48367833fa6d5b5d14

            SHA256

            b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c

            SHA512

            e864e2d64daeaf56cc32c81a30abde38b6e55b0f6e2815129740f0449b9ed5b91a5fb8d1a03549dbacede99af7a038b4eaef8f3c369515e29179df702970f1d5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
            Filesize

            412KB

            MD5

            3c9da20ad78d24df53b661b7129959e0

            SHA1

            e7956e819cc1d2abafb2228a10cf22b9391fb611

            SHA256

            2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

            SHA512

            1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

            Download Submit
          • memory/316-15-0x0000000000B80000-0x0000000000BEC000-memory.dmp
            Filesize

            432KB

            Download
          • memory/316-16-0x0000000074C90000-0x0000000075440000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/316-17-0x0000000005430000-0x0000000005440000-memory.dmp
            Filesize

            64KB

            Download
          • memory/316-48-0x0000000074C90000-0x0000000075440000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/316-42-0x0000000002E70000-0x0000000004E70000-memory.dmp
            Filesize

            32.0MB

            Download
          • memory/748-74-0x0000000004C50000-0x0000000004C60000-memory.dmp
            Filesize

            64KB

            Download
          • memory/748-3-0x0000000004C50000-0x0000000004C60000-memory.dmp
            Filesize

            64KB

            Download
          • memory/748-72-0x0000000074C90000-0x0000000075440000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/748-2-0x0000000004CC0000-0x0000000004D5C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/748-0-0x0000000000300000-0x0000000000308000-memory.dmp
            Filesize

            32KB

            Download
          • memory/748-1-0x0000000074C90000-0x0000000075440000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/1244-47-0x0000000074C90000-0x0000000075440000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/1244-51-0x0000000005660000-0x0000000005672000-memory.dmp
            Filesize

            72KB

            Download
          • memory/1244-80-0x0000000074C90000-0x0000000075440000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/1244-79-0x00000000056A0000-0x00000000056B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1244-52-0x00000000057C0000-0x00000000058CA000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/1244-55-0x00000000056F0000-0x000000000572C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/1244-57-0x0000000005730000-0x000000000577C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1244-49-0x0000000005CD0000-0x00000000062E8000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/1244-34-0x0000000000400000-0x000000000045A000-memory.dmp
            Filesize

            360KB

            Download
          • memory/1244-44-0x00000000056A0000-0x00000000056B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3268-75-0x0000000000F70000-0x0000000000F86000-memory.dmp
            Filesize

            88KB

            Download
          • memory/3508-71-0x00000000004D0000-0x00000000004D9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/3508-73-0x0000000000400000-0x000000000044C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3508-70-0x0000000000600000-0x0000000000700000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/3508-77-0x0000000000400000-0x000000000044C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/4680-69-0x0000000000E80000-0x0000000000E90000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4680-54-0x000000006FAB0000-0x0000000070061000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/4680-53-0x000000006FAB0000-0x0000000070061000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/4680-50-0x0000000000E80000-0x0000000000E90000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4680-81-0x0000000000E80000-0x0000000000E90000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4680-82-0x000000006FAB0000-0x0000000070061000-memory.dmp
            Filesize

            5.7MB

            Download