Overview

overview

10

Static

static

3

005bcf0514...c8.exe

windows10-1703-x64

10

Resubmissions

11-05-2023 23:45

230511-3r21vaba37 10

11-05-2023 14:55

230511-saw36afh91 10

10-05-2023 18:44

230510-xdkazshg76 10

08-05-2023 20:41

230508-zgd99aed8v 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    005bcf051418d05c2750b593278c9fc8.exe

  • Size

    6KB

  • Sample

    230511-3r21vaba37

  • MD5

    005bcf051418d05c2750b593278c9fc8

  • SHA1

    3425e499c953eefad59edde4f83e1c04687799c7

  • SHA256

    9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

  • SHA512

    25faa9966fa531c948c00c2454427220ba79d28230fdac1aec0a5793983d07ff2d71dba0b122bcc5bc24abb1fd18586fe2d4215d796eb9b0ba1d55099538f679

  • SSDEEP

    96:MEOIQNVjrXcWD7RtwkYv1X5Yp7svNzNt:MFIojrsWHnwkYv1XyIn

Score
10/10
gh0stratredlinesmokeloadervidarsprgbackdoorevasioninfostealerpyinstallerransomwareratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/r.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/file.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.23/o.png

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32

Targets

    • Target

      005bcf051418d05c2750b593278c9fc8.exe

    • Size

      6KB

    • MD5

      005bcf051418d05c2750b593278c9fc8

    • SHA1

      3425e499c953eefad59edde4f83e1c04687799c7

    • SHA256

      9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

    • SHA512

      25faa9966fa531c948c00c2454427220ba79d28230fdac1aec0a5793983d07ff2d71dba0b122bcc5bc24abb1fd18586fe2d4215d796eb9b0ba1d55099538f679

    • SSDEEP

      96:MEOIQNVjrXcWD7RtwkYv1X5Yp7svNzNt:MFIojrsWHnwkYv1XyIn

    Score
    10/10
    gh0stratredlinesmokeloadervidarsprgbackdoorevasioninfostealerpyinstallerransomwareratspywarestealertrojanupx

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks