Resubmissions

13-08-2023 12:08

230813-pa3zxsbg24 10

13-08-2023 11:51

230813-n1k2csdf31 10

General

  • Target

    bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6

  • Size

    273KB

  • Sample

    230813-n1k2csdf31

  • MD5

    a7db7ad42388f409157f258de45fd4af

  • SHA1

    8677a47b1400894491875e4b0e4bc86ae4152988

  • SHA256

    bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6

  • SHA512

    730bc6b71f44f45bf2e141aab659de8afdf3df039502be8f67c401e53ca7eea3cecf4703b418d12be760be36b10bff88801ae0bf2d090628af5a18eb55cdb398

  • SSDEEP

    3072:uXULEVFLzaWVLxYrKckgYW7IP4fQMmyg8596C8bd:244FLzfVLxcOvpg6lbd

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

vidar

Version

5.1

Botnet

d2840cabd9794f85353e1fae1cd95a0b

C2

https://t.me/tatlimark

https://steamcommunity.com/profiles/76561199536605936

Attributes
  • profile_id_v2

    d2840cabd9794f85353e1fae1cd95a0b

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.83.170.21:19447

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

amadey

Version

3.87

C2

79.137.192.18/9bDc8sQ/index.php

Targets

    • Target

      bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6

    • Size

      273KB

    • MD5

      a7db7ad42388f409157f258de45fd4af

    • SHA1

      8677a47b1400894491875e4b0e4bc86ae4152988

    • SHA256

      bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6

    • SHA512

      730bc6b71f44f45bf2e141aab659de8afdf3df039502be8f67c401e53ca7eea3cecf4703b418d12be760be36b10bff88801ae0bf2d090628af5a18eb55cdb398

    • SSDEEP

      3072:uXULEVFLzaWVLxYrKckgYW7IP4fQMmyg8596C8bd:244FLzfVLxcOvpg6lbd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks