Overview

overview

10

Static

static

e9f8b31630...dd.exe

windows7-x64

10

e9f8b31630...dd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd

  • Size

    139KB

  • Sample

    221225-t7zqzsbg46

  • MD5

    009c9cd98676d5e42c5fd82aa6feccc5

  • SHA1

    dd07c3c52eeeacf8d417f276ad96fe3b1c948a41

  • SHA256

    d4b306e4c28d00219a741f8354396015ae16c306cb23a0b4edbaf38b83d49880

  • SHA512

    aa5a044c04be0ff530517f07a979cf78b02c4e5706d07623fa95b124d6ab0467e114fdf5f53c3fdb9ed296ed6d45e690c26ffdca3be655477bc77369dce47bd7

  • SSDEEP

    3072:KszyILGLSR4CP6R/DVM/UHUU3UD/Nb9+XuwdoqhTq/0qUQ:KmEM4H/lUU3UD/Nb9++wm2I0o

Score
10/10
auroraredlinesmokeloader11backdoorinfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Extracted

Family

aurora

C2

195.43.142.218:8081

Targets

    • Target

      e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd

    • Size

      231KB

    • MD5

      ff58b2c40941c7066739fe425f01d928

    • SHA1

      ea2044c506fcea503f82fe1bc74c031db636aa59

    • SHA256

      e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd

    • SHA512

      e42721c6062dc72d5f6141a4bc21140e571259b97443a306debdaea72864d452c8b04429d66743db6915af57ce2ddcff352fe4962fe0eb2ef9b109237502d6a7

    • SSDEEP

      3072:c5d+LO82n5TfpgX4h2XVCkFLq5c6Ka8tJ/OkZFw7RkxmJZs:cWLp2BOFCkFu57iJ/OkrGymI

    Score
    10/10
    smokeloaderbackdoortrojanauroraredline11infostealerspywarestealer

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks