General

  • Target

    ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1

  • Size

    304KB

  • Sample

    230716-ngvrfsee26

  • MD5

    16c9fd8d675b5498e0ceff5bc4fec24e

  • SHA1

    dc0bf40b9dd65c7d25829c9912591dd5118d3ae3

  • SHA256

    ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1

  • SHA512

    840c285df940177519d06ef0596aa33b40ff8459c1ef4d06dd57caa7d97e0b908a7ab9d785f042dd6a52b46e793dca771adc1f272254757a9193db0f1677089e

  • SSDEEP

    3072:+yLxBCoraSJWXrPesHgcLfOiy3XaBdDqRmm2y1d2Z5CcwlgZDGW:TLxIAaSMXjBXbOi6wJmf1sOcFG

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

C2

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

cc

C2

94.228.169.160:43800

Attributes
  • auth_value

    ec4d19a9dd758ace38b4f5b4a447b048

Extracted

Family

lumma

C2

gstatic-node.io

Targets

    • Target

      ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1

    • Size

      304KB

    • MD5

      16c9fd8d675b5498e0ceff5bc4fec24e

    • SHA1

      dc0bf40b9dd65c7d25829c9912591dd5118d3ae3

    • SHA256

      ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1

    • SHA512

      840c285df940177519d06ef0596aa33b40ff8459c1ef4d06dd57caa7d97e0b908a7ab9d785f042dd6a52b46e793dca771adc1f272254757a9193db0f1677089e

    • SSDEEP

      3072:+yLxBCoraSJWXrPesHgcLfOiy3XaBdDqRmm2y1d2Z5CcwlgZDGW:TLxIAaSMXjBXbOi6wJmf1sOcFG

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks