General

  • Target

    076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a

  • Size

    2.6MB

  • Sample

    220419-mkj9fscgck

  • MD5

    fb7c117a520c51ef9709f9466ee99768

  • SHA1

    a112d347cf8d36bc8a748654099a4c1c438ca074

  • SHA256

    076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a

  • SHA512

    16898c7d3c657f28d8c25a7fbcb25132b003119c9d933aa04e332c320a890a8c1a72ac1d5c6948df2e4b940c1f805b1d818aea24be527e473d6e69345e06fc6a

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://hydroxychl0roquine.xyz/

https://hydroxychl0roquine.xyz/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@ChelnEvreya

C2

46.8.220.88:65531

Attributes
  • auth_value

    d24bb0cd8742d0e0fba1abfab06e4005

Extracted

Family

arkei

Botnet

Default

C2

http://92.119.160.244/Biasdmxit.php

Extracted

Family

redline

Botnet

test run

C2

2.58.56.219:39064

Attributes
  • auth_value

    8d3e3da14c8032e314235e1d040823c7

Targets

    • Target

      076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a

    • Size

      2.6MB

    • MD5

      fb7c117a520c51ef9709f9466ee99768

    • SHA1

      a112d347cf8d36bc8a748654099a4c1c438ca074

    • SHA256

      076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a

    • SHA512

      16898c7d3c657f28d8c25a7fbcb25132b003119c9d933aa04e332c320a890a8c1a72ac1d5c6948df2e4b940c1f805b1d818aea24be527e473d6e69345e06fc6a

    • Arkei

      Arkei is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4

      suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4

    • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

      suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks