General

  • Target

    a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71

  • Size

    251KB

  • Sample

    230817-fneptafd27

  • MD5

    d24e552f2a57bbd6fef597e88a8cd46d

  • SHA1

    00c5360cdb57031b421b4e35641040af0d1dfd0c

  • SHA256

    a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71

  • SHA512

    ac21d7970997b9d005c3a33f6a77fce0a6832689cbfca9fd2fa54e713fc3105ef7ad51a066dd754a8a1ae6ccfe0961ddb305e104d9172306f3334b2dbe7ae6cd

  • SSDEEP

    3072:FUz4htJbtTzqpnntsEssR59JeNpLyytvJALY+yzhdsK:uzKnWnntsEDwpf+Y+yzR

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://greenbi.net/tmp/

http://speakdyn.com/tmp/

http://pik96.ru/tmp/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.83.170.21:19447

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71

    • Size

      251KB

    • MD5

      d24e552f2a57bbd6fef597e88a8cd46d

    • SHA1

      00c5360cdb57031b421b4e35641040af0d1dfd0c

    • SHA256

      a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71

    • SHA512

      ac21d7970997b9d005c3a33f6a77fce0a6832689cbfca9fd2fa54e713fc3105ef7ad51a066dd754a8a1ae6ccfe0961ddb305e104d9172306f3334b2dbe7ae6cd

    • SSDEEP

      3072:FUz4htJbtTzqpnntsEssR59JeNpLyytvJALY+yzhdsK:uzKnWnntsEDwpf+Y+yzR

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks