Overview

overview

10

Static

static

3

b5237a3f0b...f2.exe

windows7-x64

1

b5237a3f0b...f2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

  • Size

    335KB

  • Sample

    230626-q1s33shh92

  • MD5

    b5237a3f0b1db945c1fe3f9ba71e3ff2

  • SHA1

    ba302c3c2490a3b1b04cfbdd76097f2444a54700

  • SHA256

    239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2

  • SHA512

    9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1

  • SSDEEP

    6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi

Score
10/10
phobosredlinesmokeloadersystembc1backdoorcollectionevasioninfostealerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

1

C2

dexstat255.xyz:46578

Attributes
  • auth_value

    c4805fc19583231a4c5bb64b0e833716

Extracted

Family

systembc

C2

adstat277xm.xyz:4044

demstat377xm.xyz:4044

Extracted

Family

smokeloader

Version

2022

C2

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/
rc4.i32
rc4.i32

Targets

    • Target

      b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

    • Size

      335KB

    • MD5

      b5237a3f0b1db945c1fe3f9ba71e3ff2

    • SHA1

      ba302c3c2490a3b1b04cfbdd76097f2444a54700

    • SHA256

      239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2

    • SHA512

      9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1

    • SSDEEP

      6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi

    Score
    10/10
    phobosredlinesmokeloadersystembc1backdoorcollectionevasioninfostealerpersistenceransomwarespywarestealertrojan

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (371) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks