Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06-03-2024 02:47
General
-
Target
setup_installer.exe
-
Size
3.2MB
-
MD5
85cd8130faf8e25529dce3d52c723522
-
SHA1
e821659f64ee8c3c7c1b08d65f68e232e5cc5fbe
-
SHA256
f9ccc11d6d9d8ab81be4d2c88fd66dd7d59bd93c99a3c084194b7a80b5d1b4b7
-
SHA512
0bc55297ebd588fc54d8b1b5775ec8ca7de854f07116d8d3d98d15e709a5347a0259596ed9fe9fa356163de6a07feffc44a6f427622313ce1c569a8bb07bf0a8
-
SSDEEP
49152:xcBJamB6oTuTSyPpoF9XeGz9+ETibZl0kzK9HlB3F6+9SnwEwJ84vLRaBtIl9mTX:xYuxW9XlogmiBtF6QSHCvLUBsKPP
Malware Config
Extracted
nullmixer
http://motiwa.xyz/
Extracted
redline
ServAni
87.251.71.195:82
Extracted
smokeloader
pub6
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
redline
Cana
176.111.174.254:56328
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Signatures
-
Detect Fabookie payload 1 IoCs
-
Fabookie
Fabookie is facebook account info stealer.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Nirsoft 3 IoCs
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 4 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 9 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_1.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_1.exearnatic_1.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 10525⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_2.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_2.exearnatic_2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 4125⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_3.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_3.exearnatic_3.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub5⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 6006⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_4.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_4.exearnatic_4.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_5.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_5.exearnatic_5.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_6.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_6.exearnatic_6.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_6.exeC:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_6.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_7.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCBDA8C27\arnatic_7.exearnatic_7.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 5563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 27641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3136 -ip 31361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3276 -ip 32761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4536 -ip 45361⤵
-
C:\Users\Admin\AppData\Roaming\ufjwvetC:\Users\Admin\AppData\Roaming\ufjwvet1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 3922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4820 -ip 48201⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
847B
MD5f8ec7f563d06ccddddf6c96b8957e5c8
SHA173bdc49dcead32f8c29168645a0f080084132252
SHA25638ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed
SHA5128830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684
-
Filesize
699KB
MD518fd29a7113a43375058a2788177b0ee
SHA186d2df734704de865027f6cbfbc8e5a329990fb5
SHA256088df39953be8f10f9f92ecc00b2ecb3f21bf987ddbab78b684b7760ac1b9559
SHA512c6d376890e79040b47b86b673b970cbc9606d6f5f8a11fb2ec2e3d370d44ec8d9347852d6273fa051c0f26d73cadc9312818a23a9c998cc5aa3b98dd01877688
-
Filesize
357KB
MD5a0bfcb8ec26241f757476666ffb75188
SHA1e4b15098749249b0cc5428539f1de363d45c6e2a
SHA256a38993115d134eb6ada769257879b1737f66920e30908c07ce55bf9cdbbb5ba7
SHA512ebd21c2a96ba740105dd1e33e50436829ae94d513d2495fdd550912ff428a4f78d9705ba8f023dd525c850c7a1237a23201f4702c1ce1ebf0f6772ceddb58efd
-
Filesize
680KB
MD57837314688b7989de1e8d94f598eb2dd
SHA1889ae8ce433d5357f8ea2aff64daaba563dc94e3
SHA256d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SHA5123df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c
-
Filesize
972KB
MD55668cb771643274ba2c375ec6403c266
SHA1dd78b03428b99368906fe62fc46aaaf1db07a8b9
SHA256d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
SHA512135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
-
Filesize
765KB
MD533d711ccfe4a4e9cbd37c99e25c13769
SHA1781e0cdc5b1c72f217f54bedd2c2862c73604e89
SHA2565d500524991ad1e6178b097b7ee5e270eef3710115b72a424b7fb2643490f992
SHA5122de7c4e5672f52da356ba80e132d9eb93a51290d43ebbe35471a72c2872ab7648880f0240ea94b0fce27d604c1a45964ab50ebe7256403900b22d7a59e0160c5
-
Filesize
392KB
MD5cfb846afa58b9a2fb8018e55ef841f90
SHA18a6bfe762bf3093b1fff0211752a34dc5ee57319
SHA25692f609f0932717ebf8ad7b9b3f049348d10f74442864e146dec3150cc684baf6
SHA51273344d00671fc365c6ac091524a975e67f5243590badff7c5253ee2c44a1944d60e801a0282218014941139bb59044c23372f802beca57559bbe76d61a002df1
-
Filesize
430KB
MD58c2f0a89bd8bfb029cf02e853ea30d82
SHA1d5d75a26a70a769d04ce977fe8bc774efa9de3be
SHA2566cb493755e621fed7e262241c1dc4a7baf77c08dc5eb18cae912eec57958eb47
SHA51210e2b0cb031119badf8bb1844a64e70e6cfd2034a7887d71a82df045818e41abc45f50c5733fcea0a53bbedd63d0113f4fad95c36f61c43ea71350fc04159623
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
290KB
MD5b20a433150dff0cfeb1f60b40072b2c5
SHA1785fcf96932dd40388e15721640a177857330a9d
SHA256fc9cbd74b0a4b94c4e2c78acdb0762c773fe79c34b95ebb856141bc8b20174c1
SHA512f1368250cfbfd78c245ea89b0ad90349f8d8a345e7b6597788ebf7ec17622570e7e5ff9f14344ac8e7b8ce28f5a23f071525553f0240963b3c49970fbb7a8933
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
551KB
MD513abe7637d904829fbb37ecda44a1670
SHA1de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f
SHA2567a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6
SHA5126e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77
-
Filesize
48KB
MD589c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
Filesize
794B
MD520552cba537d9790bfe5f84dda1ddf5d
SHA134d448a5473dbf40e809dd255025665f4b04acc7
SHA2568a153c91794ecc7dbf07b294495c81e2359a908d226dd1473b4c2dc954363b6a
SHA512fdfefa423a8283a48f0086388262acd587c53d9b7d1381f5c97e98946fae417c74241b76bc24e095d56f475dda0ff02bc9ceaae280d75ce32874ffa25a98251e
-
Filesize
31B
MD5b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
Filesize
1KB
MD5385e7be37cab843dac7287f8f08caa2a
SHA1b33fb3a6969583832d4880bb284d079785ec4b2b
SHA2567f22326ba9ce17f4c5bb9e69cbb1a2ccc0fa05f4a74d0bada6019d4ce1900bc7
SHA51252d9e634f6ad18b32978c4aa260b433f08aeb6546d20cf9abbfe92241310960b36cf4cfc590ad2a3d9522a1678bc9ea4527e120042815b10ae8c14cf362fe9e2
-
Filesize
184KB
MD57fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
Filesize
61KB
MD5a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
188KB
-
Filesize
128KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
1024KB
-
Filesize
5.0MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
140KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
7.7MB
-
Filesize
416KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
5.3MB
-
Filesize
1024KB
-
Filesize
5.3MB
-
Filesize
628KB
-
Filesize
1024KB
-
Filesize
5.0MB
-
Filesize
5.0MB