Overview

overview

10

Static

static

1

2a05b42d2c...b8.exe

windows7-x64

10

2a05b42d2c...b8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ca60a396915eb96aa8b5f7a0c5ff07f8.bin

  • Size

    167KB

  • Sample

    230326-cd1bzshb51

  • MD5

    cc40340433c0e3e669b66a761bc77bd6

  • SHA1

    fa78e57b4dff32794b1551a5d20fa213b97e55a4

  • SHA256

    0c0a0bacac6f97f343c96df99f474cfeae3bdaa549b43eccdcf520ad893d3a7c

  • SHA512

    1545169819154fa0fbaaa8339eee6a63ab6444bc6257d9ce114221dac75291c9893f4b25e3784df635b0299c13a2c9ad6105433e5714e1c9b2c0aa92f584cebc

  • SSDEEP

    3072:lyCPboZk8oBmEZOP03udCMTLB8RdX0q2P9ltdteyJN:lBTsk8umEUSsCMPK3EVPJN

Score
10/10
redlinerhadamanthyssmokeloaderkoreamonpub4backdoorcollectiondiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

koreamon

C2

koreamonitoring.com:80

Attributes
  • auth_value

    1a0e1a9f491ef3df873a03577dfa10aa

Targets

    • Target

      2a05b42d2c3c8b84d7e5343ba39030b16004622607ef49a11d75249d3a8a03b8.exe

    • Size

      276KB

    • MD5

      ca60a396915eb96aa8b5f7a0c5ff07f8

    • SHA1

      19ca5be22c6b07418a18aa93931d41a0b11c3b9e

    • SHA256

      2a05b42d2c3c8b84d7e5343ba39030b16004622607ef49a11d75249d3a8a03b8

    • SHA512

      c487b8803e3eae896483075819738954c611330021ad6d9fa5b4ff8bfab380836eb7ab73edbc7ad2f24e08da170e9c11f1262305f0e6a36f5663eaf63462ca2e

    • SSDEEP

      3072:oxkfN82xxRYCCd5kxUlfCDmDdZzlzxnsdJFqwWNb2oaqR0d2KWN8aeeL:Uw2cY/fCDAlzxdDJ2/qR0sKva

    Score
    10/10
    smokeloaderpub4backdoortrojanredlinerhadamanthyskoreamoncollectiondiscoveryinfostealerspywarestealer

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks