eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f

General

Target

SMTPChecker.exe
Size

23.1MB
MD5

b2d4138a7cbb8b3e02d9f61c76f31f18
SHA1

629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c
SHA256

eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f
SHA512

f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988
SSDEEP

393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

checkerdali.exe

pid process

2636 checkerdali.exe
Loads dropped DLL 2 IoCs

Processes:

SMTPChecker.execheckerdali.exe

pid process

2400 SMTPChecker.exe
2636 checkerdali.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

SMTPChecker.exe

pid process

2400 SMTPChecker.exe
2400 SMTPChecker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SMTPChecker.exe

pid process

2400 SMTPChecker.exe

pid	process
2636	checkerdali.exe

pid	process
2400	SMTPChecker.exe
2636	checkerdali.exe

pid	process
2400	SMTPChecker.exe
2400	SMTPChecker.exe

pid	process
2400	SMTPChecker.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SMTPChecker.exe

description	pid	process	target process
PID 2400 wrote to memory of 2636	2400	SMTPChecker.exe	checkerdali.exe
PID 2400 wrote to memory of 2636	2400	SMTPChecker.exe	checkerdali.exe
PID 2400 wrote to memory of 2636	2400	SMTPChecker.exe	checkerdali.exe

C:\Users\Admin\AppData\Local\Temp\SMTPChecker.exe
"C:\Users\Admin\AppData\Local\Temp\SMTPChecker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\onefile_2400_133768537657012000\checkerdali.exe
  C:\Users\Admin\AppData\Local\Temp\SMTPChecker.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2400_133768537657012000\python312.dll

Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2400_133768537657012000\checkerdali.exe

Filesize
10.2MB

MD5
4500a38912953ac4ab5b5f6e72977939

SHA1
9c5e446f82af0dd0b0d75355df42996e79b0abe1

SHA256
29d7034c8d6af42e7859d5026d3905aa9b28c07b2efe0bc89818c9ad0a3fcc41

SHA512
ffbfaab08d1771ebbda371533de04376dab828553df21e2552d85dfb0668a82f62be310595079ecd10f7e3763acf5a3c20a4d8a6434b36e591276fd4183032ae

Download Submit
memory/2400-18-0x0000000077E00000-0x0000000077E02000-memory.dmp

Filesize
8KB

Download
memory/2400-33-0x000007FEFDD20000-0x000007FEFDD22000-memory.dmp

Filesize
8KB

Download
memory/2400-15-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

Filesize
8KB

Download
memory/2400-35-0x000007FEFDD20000-0x000007FEFDD22000-memory.dmp

Filesize
8KB

Download
memory/2400-13-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

Filesize
8KB

Download
memory/2400-30-0x0000000077E20000-0x0000000077E22000-memory.dmp

Filesize
8KB

Download
memory/2400-28-0x0000000077E20000-0x0000000077E22000-memory.dmp

Filesize
8KB

Download
memory/2400-26-0x0000000077E20000-0x0000000077E22000-memory.dmp

Filesize
8KB

Download
memory/2400-25-0x0000000077E10000-0x0000000077E12000-memory.dmp

Filesize
8KB

Download
memory/2400-23-0x0000000077E10000-0x0000000077E12000-memory.dmp

Filesize
8KB

Download
memory/2400-21-0x0000000077E10000-0x0000000077E12000-memory.dmp

Filesize
8KB

Download
memory/2400-11-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

Filesize
8KB

Download
memory/2400-0-0x000000013FB57000-0x0000000140C46000-memory.dmp

Filesize
16.9MB

Download
memory/2400-16-0x0000000077E00000-0x0000000077E02000-memory.dmp

Filesize
8KB

Download
memory/2400-38-0x000007FEFDD30000-0x000007FEFDD32000-memory.dmp

Filesize
8KB

Download
memory/2400-40-0x000007FEFDD30000-0x000007FEFDD32000-memory.dmp

Filesize
8KB

Download
memory/2400-20-0x0000000077E00000-0x0000000077E02000-memory.dmp

Filesize
8KB

Download
memory/2400-10-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/2400-8-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/2400-6-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/2400-5-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/2400-43-0x000000013FB00000-0x0000000142364000-memory.dmp

Filesize
40.4MB

Download
memory/2400-41-0x000000013FB00000-0x0000000142364000-memory.dmp

Filesize
40.4MB

Download
memory/2400-69-0x000000013FB00000-0x0000000142364000-memory.dmp

Filesize
40.4MB

Download
memory/2400-70-0x000000013FB00000-0x0000000142364000-memory.dmp

Filesize
40.4MB

Download
memory/2400-1-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/2400-3-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/2400-99-0x000000013FB57000-0x0000000140C46000-memory.dmp

Filesize
16.9MB

Download
memory/2400-100-0x000000013FB00000-0x0000000142364000-memory.dmp

Filesize
40.4MB

Download

Analysis

Sharing