General

  • Target

    b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

  • Size

    335KB

  • Sample

    230626-q1s33shh92

  • MD5

    b5237a3f0b1db945c1fe3f9ba71e3ff2

  • SHA1

    ba302c3c2490a3b1b04cfbdd76097f2444a54700

  • SHA256

    239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2

  • SHA512

    9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1

  • SSDEEP

    6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi

Malware Config

Extracted

Family

redline

Botnet

1

C2

dexstat255.xyz:46578

Attributes
  • auth_value

    c4805fc19583231a4c5bb64b0e833716

Extracted

Family

systembc

C2

adstat277xm.xyz:4044

demstat377xm.xyz:4044

Extracted

Family

smokeloader

Version

2022

C2

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/

rc4.i32
rc4.i32

Targets

    • Target

      b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

    • Size

      335KB

    • MD5

      b5237a3f0b1db945c1fe3f9ba71e3ff2

    • SHA1

      ba302c3c2490a3b1b04cfbdd76097f2444a54700

    • SHA256

      239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2

    • SHA512

      9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1

    • SSDEEP

      6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (371) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks