General

  • Target

    a4b18ce54301fdad6c022f031fb60c656b730ac90399ee7b2a8ba2f675b0297e

  • Size

    132KB

  • Sample

    220924-s9mc1abef5

  • MD5

    e6593cedd540ca0fe5b687a6e2af3019

  • SHA1

    2f9e30e5a81577b454b5664ef553ad915466400b

  • SHA256

    a5b555abb09d733e2aa67f9b88dd42cbf9ab0ad2fd9bce1abaf9ef7319187c7f

  • SHA512

    4f4e11e1e956f1d7d52cfc94cc6c6af1ab3544da015b88a3e63eee5668e4971cd9ba19b10ba4681ed8d1c2eba7fb5b2c58e49e47682512812f61262a59961098

  • SSDEEP

    3072:RvR7/pfLA9UbUoDPaYxKb2LrpyrvmAoTS1k9+OmT6qpXLOc4Kdux+I275hGpcQv7:R5VfLAnojaoKbOEiBTSg82qpE5c5YZv7

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @me_golds)

C2

77.73.134.27:7161

Attributes
  • auth_value

    e136da06c7c0400f4091dab1787720ea

Targets

    • Target

      a4b18ce54301fdad6c022f031fb60c656b730ac90399ee7b2a8ba2f675b0297e

    • Size

      196KB

    • MD5

      8e28c598cc3748e178fc122402d2efa5

    • SHA1

      645ecc9547792cf551c96fb361c10f020984dcbb

    • SHA256

      a4b18ce54301fdad6c022f031fb60c656b730ac90399ee7b2a8ba2f675b0297e

    • SHA512

      b4cb9af35ee6b9a0024bce852effe8bd7981b5d5eaf68721d758386004e3fa47c7cf70b773305a14a1d8c672831d411edd10fa68e391a1f5c9b9f53d8e9269b5

    • SSDEEP

      3072:cekgbLjJ+kMX85vXkfzoaIscnt0mQbeBtKTxPmv/Pka4x:hLgkM+00aIN8c

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks