General

  • Target

    win_setup__621708b8b769c.exe

  • Size

    6.0MB

  • Sample

    220224-e9nzyadcan

  • MD5

    be2caaf0356171d4f6c109f720edb75f

  • SHA1

    327d9610f733c5e9d76eeb55739cea70523e84c6

  • SHA256

    054f4390cf430a215bbac1f9eb82969666157f3dcd60a526cb8876dcca88fdcb

  • SHA512

    202bc1e205ee6f0e3f913fd8e86feac42f6ec8d3daa10004886659f18e13d68b9cdf61fea43dc4b12a142b6ac2fbf9009333d8801f3ba3d4f7436607ad3c4845

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://pjure.at/upload/

http://puffersweiven.com/upload/

http://algrcabel.ru/upload/

http://pelangiqq99.com/upload/

http://elsaunny.com/upload/

http://korphoto.com/upload/

http://hangxachtaythodoan.com/upload/

http://pkodev.net/upload/

http://go-piratia.ru/upload/

http://piratia.su/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

mediam10

C2

92.255.57.154:11841

Attributes
  • auth_value

    c244f3014e6aa11d9b853b0c94e0743e

Targets

    • Target

      win_setup__621708b8b769c.exe

    • Size

      6.0MB

    • MD5

      be2caaf0356171d4f6c109f720edb75f

    • SHA1

      327d9610f733c5e9d76eeb55739cea70523e84c6

    • SHA256

      054f4390cf430a215bbac1f9eb82969666157f3dcd60a526cb8876dcca88fdcb

    • SHA512

      202bc1e205ee6f0e3f913fd8e86feac42f6ec8d3daa10004886659f18e13d68b9cdf61fea43dc4b12a142b6ac2fbf9009333d8801f3ba3d4f7436607ad3c4845

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    • OnlyLogger Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks