Overview

overview

10

Static

static

1

c45365acb5...31.exe

windows7-x64

10

c45365acb5...31.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    776d703ba06d6334fad959d7c305b8c2.bin

  • Size

    125KB

  • Sample

    230301-bs2ypadf3v

  • MD5

    6d95c33ab260e36590252e76db99f9c5

  • SHA1

    9263ac83322ea51b15d2663195a5e93fd80801ed

  • SHA256

    37bf45cef86915c718dcf4ff8e544a1461f7012d8b779a90daeb3ac32fa11849

  • SHA512

    33d30db512258205ed7996347e22a4d29afa30f9995fb656464cf2a9a55a537e94f13149fc76930142ed18f68119c10d5c01ad573050e287ec044e643221ea79

  • SSDEEP

    1536:HX1Nge+teYnj05Tt01nC/+O19WWTI5BZZH5nD+hP3/yptE89MvdYjTAKz+Ui0322:HRYYt01nCR9ZTynDV/kwTAgY03x+wr

Score
10/10
redlinesmokeloaderxmrigrumfabackdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Targets

    • Target

      c45365acb54ee1edf3eda04ca895367520f3dcc86772c8561ba6eca0479fe331.exe

    • Size

      192KB

    • MD5

      776d703ba06d6334fad959d7c305b8c2

    • SHA1

      c1bacae38027067a911c382af96c7d5ebc210fb8

    • SHA256

      c45365acb54ee1edf3eda04ca895367520f3dcc86772c8561ba6eca0479fe331

    • SHA512

      11e4bce2b251a9b3d1504ed23aa69a832697bb923db5290eab78c6e4ca38180e65a32500f61756325e156156ed85d00e257c7aaaed72cf3ffd9b1c851a24801f

    • SSDEEP

      3072:V4c4SvQ/YIF1avmmFxFhxmtrU5CxKfJDOZwI6TTA3Uwfyz:Vr4J/YIzC42CNPOOa

    Score
    10/10
    smokeloaderbackdoortrojanredlinexmrigrumfadiscoveryevasioninfostealerminerpersistencespywarestealer

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks