Analysis
-
max time kernel
82s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 10:32
General
-
Target
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
-
Size
204KB
-
MD5
3f6f77f2a1a79b61b366714e81155d93
-
SHA1
df858f5ffa1193f6a2aff97cc8d420c904b95e17
-
SHA256
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573
-
SHA512
747b1fc16ff30eb9f4bea3f481d2b82199ab8a8d67ade39ae4820b6c360bc2a840915f6f99cc406f8bc1efc088fa800f9227f507d5cf49b096017e5983d4d4b4
-
SSDEEP
3072:Z3SDLqRgTHASJxi5iyAJ7oI4Z4tEmPgc2F/:Z3dRgTHAGo5BEoI4Z4tEvcC/
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.0:29587
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe"C:\Users\Admin\AppData\Local\Temp\633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C796.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\5149.exeC:\Users\Admin\AppData\Local\Temp\5149.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 2602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 844 -ip 8441⤵
-
C:\Users\Admin\AppData\Local\Temp\A3EE.exeC:\Users\Admin\AppData\Local\Temp\A3EE.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6BE.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5149.exeFilesize
392KB
MD589ec2c6bf09ed9a38bd11acb2a41cd1b
SHA1408549982b687ca8dd5efb0e8b704a374bd8909d
SHA256da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d
SHA512c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a
-
C:\Users\Admin\AppData\Local\Temp\A3EE.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\C796.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
memory/532-1-0x0000000000770000-0x0000000000870000-memory.dmpFilesize
1024KB
-
memory/532-2-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/532-3-0x0000000002280000-0x000000000228B000-memory.dmpFilesize
44KB
-
memory/532-5-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/844-22-0x00000000059D0000-0x00000000059E0000-memory.dmpFilesize
64KB
-
memory/844-21-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/844-20-0x0000000000E90000-0x0000000000EF4000-memory.dmpFilesize
400KB
-
memory/844-23-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/844-39-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/844-29-0x0000000003440000-0x0000000005440000-memory.dmpFilesize
32.0MB
-
memory/1420-62-0x00000000030C0000-0x00000000030C1000-memory.dmpFilesize
4KB
-
memory/1420-63-0x00000000030D0000-0x00000000030D1000-memory.dmpFilesize
4KB
-
memory/1420-64-0x0000000000470000-0x0000000001155000-memory.dmpFilesize
12.9MB
-
memory/1420-60-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/1420-58-0x0000000003070000-0x0000000003071000-memory.dmpFilesize
4KB
-
memory/1420-61-0x00000000030B0000-0x00000000030B1000-memory.dmpFilesize
4KB
-
memory/1420-59-0x0000000000470000-0x0000000001155000-memory.dmpFilesize
12.9MB
-
memory/1420-57-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB
-
memory/1420-52-0x0000000000470000-0x0000000001155000-memory.dmpFilesize
12.9MB
-
memory/1420-65-0x00000000030E0000-0x00000000030E1000-memory.dmpFilesize
4KB
-
memory/3496-4-0x0000000002DE0000-0x0000000002DF6000-memory.dmpFilesize
88KB
-
memory/4284-31-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/4284-41-0x0000000007130000-0x00000000072F2000-memory.dmpFilesize
1.8MB
-
memory/4284-42-0x0000000007830000-0x0000000007D5C000-memory.dmpFilesize
5.2MB
-
memory/4284-40-0x0000000006180000-0x00000000061E6000-memory.dmpFilesize
408KB
-
memory/4284-47-0x0000000007500000-0x0000000007550000-memory.dmpFilesize
320KB
-
memory/4284-38-0x0000000005950000-0x000000000599C000-memory.dmpFilesize
304KB
-
memory/4284-37-0x00000000057D0000-0x000000000580C000-memory.dmpFilesize
240KB
-
memory/4284-36-0x0000000005770000-0x0000000005782000-memory.dmpFilesize
72KB
-
memory/4284-35-0x0000000005840000-0x000000000594A000-memory.dmpFilesize
1.0MB
-
memory/4284-34-0x00000000065F0000-0x0000000006C08000-memory.dmpFilesize
6.1MB
-
memory/4284-33-0x00000000056A0000-0x00000000056AA000-memory.dmpFilesize
40KB
-
memory/4284-32-0x00000000054C0000-0x00000000054D0000-memory.dmpFilesize
64KB
-
memory/4284-30-0x0000000005510000-0x00000000055A2000-memory.dmpFilesize
584KB
-
memory/4284-28-0x0000000005A20000-0x0000000005FC4000-memory.dmpFilesize
5.6MB
-
memory/4284-26-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB