Overview

overview

10

Static

static

1

81f40a8afc...8a.exe

windows7-x64

10

81f40a8afc...8a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81f40a8afc158898f127f509853b4c8a.exe

  • Size

    252KB

  • Sample

    230304-jptf5sdc55

  • MD5

    81f40a8afc158898f127f509853b4c8a

  • SHA1

    1f41f28fdf07718d72791e84c373c6bb615fdff9

  • SHA256

    c6df64c1c448ccfccd92366ee2bdbb28c413fda5ba9aaaad1648caf76d6950fb

  • SHA512

    eae89917788e74d23aa3724930f7f46c034914bf5ff9e069df57586d2d6486ab074455f230d7bc6ec09cfcfaa972896acb2f3d96bd1cb6558c9468c7f0b6a8cb

  • SSDEEP

    3072:2gGBWVLdtTuyp9AMlCGjAww/RN7nG/409epf6n3ummj3mh09Gu2v3TQBupbtq/Cx:JBLKA9ZRHw/f4FKSneD2h09o8B7/CAm

Score
10/10
amadeylaplasredlinesmokeloader0102-700-2backdoorclipperdiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/
rc4.i32
rc4.i32

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

redline

Botnet

02-700-2

C2

167.235.133.96:43849

Attributes
  • auth_value

    8af50b3310e79fa317eef66b1e92900f

Extracted

Family

amadey

Version

3.67

C2

212.118.43.106/dF30Hn4m/index.php

Extracted

Family

redline

Botnet

01

C2

167.235.133.96:43849

Attributes
  • auth_value

    a158e35a6caac69f2614dc12bb02fdf2

Targets

    • Target

      81f40a8afc158898f127f509853b4c8a.exe

    • Size

      252KB

    • MD5

      81f40a8afc158898f127f509853b4c8a

    • SHA1

      1f41f28fdf07718d72791e84c373c6bb615fdff9

    • SHA256

      c6df64c1c448ccfccd92366ee2bdbb28c413fda5ba9aaaad1648caf76d6950fb

    • SHA512

      eae89917788e74d23aa3724930f7f46c034914bf5ff9e069df57586d2d6486ab074455f230d7bc6ec09cfcfaa972896acb2f3d96bd1cb6558c9468c7f0b6a8cb

    • SSDEEP

      3072:2gGBWVLdtTuyp9AMlCGjAww/RN7nG/409epf6n3ummj3mh09Gu2v3TQBupbtq/Cx:JBLKA9ZRHw/f4FKSneD2h09o8B7/CAm

    Score
    10/10
    smokeloaderbackdoortrojanamadeylaplasredline0102-700-2clipperdiscoveryinfostealerspywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks