General

  • Target

    93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

  • Size

    232KB

  • Sample

    220328-mllhxahee6

  • MD5

    5546c1ab6768292b78c746d9ea627f4a

  • SHA1

    be3bf3f21b6101099bcfd7203a179829aea4b435

  • SHA256

    93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

  • SHA512

    90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://coralee.at/upload/

http://ducvietcao.com/upload/

http://biz-acc.ru/upload/

http://toimap.com/upload/

http://bbb7d.com/upload/

http://piratia-life.ru/upload/

http://curvreport.com/upload/

http://viagratos.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

111

C2

188.68.205.12:20861

Attributes
  • auth_value

    7160caade6584e8f8e67bbb8a6565985

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Targets

    • Target

      93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

    • Size

      232KB

    • MD5

      5546c1ab6768292b78c746d9ea627f4a

    • SHA1

      be3bf3f21b6101099bcfd7203a179829aea4b435

    • SHA256

      93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

    • SHA512

      90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

    • Modifies Windows Defender Real-time Protection settings

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • OnlyLogger Payload

    • Vidar Stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks