General

  • Target

    8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43

  • Size

    232KB

  • Sample

    230816-ywwbmsdg93

  • MD5

    013c57f91f96219acd3cdbb7b497e88e

  • SHA1

    32d8354180e1875b58870f41132ea5f59796ea82

  • SHA256

    8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43

  • SHA512

    7f881a3ee897abda11a74085d73a0f801877f9edb803b24f2deda467981464438e84bc96f7252ebe1ba63360c0d51a793a4681ae24c64ccf5e569f42b5d95e87

  • SSDEEP

    6144:nNGJLJHMwDGzqnrmasHqeghhIlsyRdad:nSFHMXzCrDsHqeg30Fa

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.83.170.21:19447

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

redline

C2

38.181.25.43:3325

Attributes
  • auth_value

    082cde17c5630749ecb0376734fe99c9

Extracted

Family

smokeloader

Botnet

pub1

Targets

    • Target

      8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43

    • Size

      232KB

    • MD5

      013c57f91f96219acd3cdbb7b497e88e

    • SHA1

      32d8354180e1875b58870f41132ea5f59796ea82

    • SHA256

      8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43

    • SHA512

      7f881a3ee897abda11a74085d73a0f801877f9edb803b24f2deda467981464438e84bc96f7252ebe1ba63360c0d51a793a4681ae24c64ccf5e569f42b5d95e87

    • SSDEEP

      6144:nNGJLJHMwDGzqnrmasHqeghhIlsyRdad:nSFHMXzCrDsHqeg30Fa

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks