General

  • Target

    b817002c69c6315e116f14d6fe64151577999eb773842.exe

  • Size

    150KB

  • Sample

    210820-yy152tnjpn

  • MD5

    e77188581c0cb93c5821999d39d979e2

  • SHA1

    a11e5624e493ef524fffad14ec2488b00ff601c9

  • SHA256

    b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c

  • SHA512

    41ae5252a62ed2cc0f108059e6d6b496f6e9451bb3398137310b5d9907128aedbcf8c3c656522c52f68e392cfac641e7b42fc61c82506a6ba6b6d654b71de1c8

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

777

C2

51.254.68.139:8067

Extracted

Family

redline

Botnet

#MIX 19.08

C2

gophamanapr.site:80

Extracted

Family

raccoon

Botnet

fe582536ec580228180f270f7cb80a867860e010

Attributes
  • url4cnc

    https://telete.in/xylichanjk

rc4.plain
rc4.plain

Targets

    • Target

      b817002c69c6315e116f14d6fe64151577999eb773842.exe

    • Size

      150KB

    • MD5

      e77188581c0cb93c5821999d39d979e2

    • SHA1

      a11e5624e493ef524fffad14ec2488b00ff601c9

    • SHA256

      b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c

    • SHA512

      41ae5252a62ed2cc0f108059e6d6b496f6e9451bb3398137310b5d9907128aedbcf8c3c656522c52f68e392cfac641e7b42fc61c82506a6ba6b6d654b71de1c8

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

      suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks