Overview

overview

10

Static

static

1

10cb7d010c...5f.exe

windows7-x64

10

10cb7d010c...5f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.zip

  • Size

    140KB

  • Sample

    230311-s6kp1aca6t

  • MD5

    df5af7d049c41c12cc017feb5c46d1fc

  • SHA1

    6dfde96c74e1249ea39f2af1dfb17b28ed75a2a8

  • SHA256

    5f1fa1d46b0a90a855db5a2b0100ae83164fc1168587373a2b62ee22f75cbe54

  • SHA512

    b89d099825c6020dc4840d211ca419e4c55aead80a835f602fdad8f63d24bb5ef7d45c4f8bf1ff784acb28fd8f383c096e5c23e7bb2301e40aac13bf63387be4

  • SSDEEP

    3072:NV0ijW8SZgrAXJXr62rHwOa+6D3L5UQQ8DIzxuvaDQZgCwZLM7gF8b8:NV0ij4JXpQzqQQ8DItuvaDUHgk8

Score
10/10
dcratredlinesmokeloader02-700-22023backdoorinfostealerratthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

2023

Extracted

Family

smokeloader

Version

2022

C2

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

02-700-2

C2

167.235.133.96:43849

Attributes
  • auth_value

    8af50b3310e79fa317eef66b1e92900f

Extracted

Family

redline

C2

37.220.87.13:40676

Attributes
  • auth_value

    867b4fb099bee5476c9e3f8bc16937ad

Targets

    • Target

      10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe

    • Size

      215KB

    • MD5

      64e1d7ec7103d1a04029c4db2941a8d3

    • SHA1

      706a486a113041efd175ed05bf86fd5aad67083f

    • SHA256

      10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f

    • SHA512

      b38c7104b5406ef1ef212637c7bf201e182359f5bed078ca9718ebfbf0ed5f59927a612ce422e7eab692c591c9089c8c3231f49966e75e28af7c2ff0f675277d

    • SSDEEP

      3072:paUIvLUh91b504gy5kJM0yD1h52aNfC6YQGJ58ZdIqxQYzEVb:sUwLk91sZyphoaNfLYrJ58FFzyb

    Score
    10/10
    smokeloader2023backdoortrojandcratredline02-700-2infostealerratthemidaupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks