Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
15-03-2024 02:27
General
-
Target
84c81970d4af15114473225603bae7517743476e0bb4fc65dc0f890cf61e7ca6.exe
-
Size
208KB
-
MD5
960c380ba57e06e4687f4f123600d704
-
SHA1
905aabfe25088890f09dfd8de35e7229fe0632f7
-
SHA256
84c81970d4af15114473225603bae7517743476e0bb4fc65dc0f890cf61e7ca6
-
SHA512
51793a6d5eae5a6a9cc00cc5160b00ea842f1967de087c49b9e101c254b9ae706918c871a00ff6a13fffef989434e470e40454a05958b440e0f4b9f0aca1d1ea
-
SSDEEP
3072:usLXps3ttQL00rAh0PjoUTFsxIIu9u0SPr91u368:1htAqr/SII7xbu3P
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
20.218.68.91:7690
Extracted
lumma
https://resergvearyinitiani.shop/api
https://colorfulequalugliess.shop/api
https://herdbescuitinjurywu.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects executables packed with unregistered version of .NET Reactor 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 4 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\84c81970d4af15114473225603bae7517743476e0bb4fc65dc0f890cf61e7ca6.exe"C:\Users\Admin\AppData\Local\Temp\84c81970d4af15114473225603bae7517743476e0bb4fc65dc0f890cf61e7ca6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AA78.exeC:\Users\Admin\AppData\Local\Temp\AA78.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 12444⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 12284⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\1691.exeC:\Users\Admin\AppData\Local\Temp\1691.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 6123⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 10202⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4308 -ip 43081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4308 -ip 43081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 688 -ip 6881⤵
-
C:\Users\Admin\AppData\Local\Temp\620E.exeC:\Users\Admin\AppData\Local\Temp\620E.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 10802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2620 -ip 26201⤵
-
C:\Users\Admin\AppData\Local\Temp\841D.exeC:\Users\Admin\AppData\Local\Temp\841D.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534KB
MD5a3f8b60a08da0f600cfce3bb600d5cb3
SHA1b00d7721767b717b3337b5c6dade4ebf2d56345e
SHA2560c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb
SHA51214f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d
-
Filesize
555KB
MD50c4fee8706a8ea370b7a272b7c5bbc85
SHA1bda2a1ebc921db843d06aa5074884207ccbe9242
SHA2569ec8397acd7c4106763ba84f4ebe1fd1cf39b4b0de442be8f89cd57de6151aac
SHA512dd2c1d00325533db2cc5fe14ab52747182a494a2524e4f891e3dcd3ce2ab9685322a9fe1f5f2bd2b9808d6f1efab2a9cdfcc762016935464a7ddd237e620f9a4
-
Filesize
4.8MB
MD50de49b7358184b13c717ea9a823f12bb
SHA1a764efe549b694c7ce05773c55b7d582b6f4ba2d
SHA25648c26d758ee7acee07033f1583de83451a9e1f07facf958b786c654786f7f18f
SHA512d10361e573912aad2dd49791c14cb6eec6d271eb5353b9c500e2824eb229e96799ecc982e96abb3fbd610eef6cb55487873bbac9dfbf0a68872beac746e9044a
-
Filesize
3.6MB
MD546d13c878f25bc4830189acf539344dd
SHA1ee218c88124fd5a38df40003a7d5c2345bd24dd1
SHA256913642c203d6b31e775cc309ee5dbf4493e248586f14048b11c148644e669fca
SHA512ebf69a0f99d4fa3e3fca26f8910ba48e29e28d3093d9d61d744a1fc21f6a787d62ff7aeb8711daffd095ee326b977d930220850d280a1d5a0fef2afa11aa7504
-
Filesize
4.3MB
MD55c4cfa221f4b3f6db9b803b2fb3d61ab
SHA1c19ece12ac655c8f6125acc1d7fa0c89c6a4bfb0
SHA25684cc308047b0d54eecd28346f60f7728af96c65061effa8a5cf5705fae788405
SHA512388365eb062b0fb702743c4c1ed01e1367a255513be568f00eff250c0f011e6fe3ccf0519e99d540c18527e10399c6d3035669a5b971ba9eba2db458af4a82a0
-
Filesize
554KB
MD5a1b5ee1b9649ab629a7ac257e2392f8d
SHA1dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA2562bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA51250ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b
-
Filesize
1.8MB
MD5aaacf46a89720b66de3ad6b5a2947fa8
SHA15718da5742ed0025a1164e6b1bc8c100504408d0
SHA256cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a
SHA512cb9716cfdf6576f47873a05c7763f0a15c356fe885d76bc516dab7e501fd2fa63e34c4da14a7bb96d86c311849daef9c3167f7be4cfa4c8bf3d14941e6ee225d
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
1024KB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
560KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
5.6MB
-
Filesize
320KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
1.6MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
32.0MB
-
Filesize
32.0MB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB