General

  • Target

    c88f54545bde70cdfbec29360ac522cee2c53cdba2493f6b4568c5361fe5be69

  • Size

    251KB

  • Sample

    230817-lppjasgf87

  • MD5

    c5f918dbae071ab6c337f67cde854daa

  • SHA1

    86d758d20f1bb5b38a746f1d99068b1ad3f2ac4d

  • SHA256

    c88f54545bde70cdfbec29360ac522cee2c53cdba2493f6b4568c5361fe5be69

  • SHA512

    c5c718dcdd54983099c57f2331c336e38dda627d9740c93d220f3226fb28d6c789a73f21b36ca5b66d41ee4127166eed28b036d1de3d328183c30a4c5b6071a8

  • SSDEEP

    3072:p5zLmaXCA6vq9n6dOx2XhR5fA0EWwsQ5gwFtbsiOi8+O+CDmTRch+sK:3zQ/+n6dOxgM0EH59Ft1Qb/i

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

C2

38.181.25.43:3325

Attributes
  • auth_value

    082cde17c5630749ecb0376734fe99c9

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.83.170.21:19447

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Botnet

summ

Targets

    • Target

      c88f54545bde70cdfbec29360ac522cee2c53cdba2493f6b4568c5361fe5be69

    • Size

      251KB

    • MD5

      c5f918dbae071ab6c337f67cde854daa

    • SHA1

      86d758d20f1bb5b38a746f1d99068b1ad3f2ac4d

    • SHA256

      c88f54545bde70cdfbec29360ac522cee2c53cdba2493f6b4568c5361fe5be69

    • SHA512

      c5c718dcdd54983099c57f2331c336e38dda627d9740c93d220f3226fb28d6c789a73f21b36ca5b66d41ee4127166eed28b036d1de3d328183c30a4c5b6071a8

    • SSDEEP

      3072:p5zLmaXCA6vq9n6dOx2XhR5fA0EWwsQ5gwFtbsiOi8+O+CDmTRch+sK:3zQ/+n6dOxgM0EH59Ft1Qb/i

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies file permissions

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks