General

  • Target

    8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc

  • Size

    277KB

  • Sample

    230324-1ggaaabf6z

  • MD5

    0ae23cd6bb94954011e39d65cd859740

  • SHA1

    53b9b06b65c708eff41deb34d221563ac77453fa

  • SHA256

    8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc

  • SHA512

    e913898913e49cb170fde0cbee257fd2af0fb9d931daeeb3d8902b44b14e7ab6ee30d8dc118ff95e5bc2f8f6e827fa0abb94a8d351c3b075c5f1431f268083a8

  • SSDEEP

    3072:exlPvo2dcvcCN75ABlfTynGydZxALCyFI1VENsRyWf8Ml7sWYu0ZWnMWN8aeeL:e9gVZaTynKCGI0HWf8SYWY6Mva

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

b68788975ed4f9b62a22d17711a68c8f

C2

http://185.106.92.151

http://185.106.92.27

rc4.plain

Targets

    • Target

      8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc

    • Size

      277KB

    • MD5

      0ae23cd6bb94954011e39d65cd859740

    • SHA1

      53b9b06b65c708eff41deb34d221563ac77453fa

    • SHA256

      8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc

    • SHA512

      e913898913e49cb170fde0cbee257fd2af0fb9d931daeeb3d8902b44b14e7ab6ee30d8dc118ff95e5bc2f8f6e827fa0abb94a8d351c3b075c5f1431f268083a8

    • SSDEEP

      3072:exlPvo2dcvcCN75ABlfTynGydZxALCyFI1VENsRyWf8Ml7sWYu0ZWnMWN8aeeL:e9gVZaTynKCGI0HWf8SYWY6Mva

    • Detects Echelon Stealer payload

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks