General

  • Target

    37ae53ead74452038b0c77abd3302258.bin

  • Size

    2KB

  • Sample

    230821-bldmhsbg8w

  • MD5

    6f41601cdce01ed99fef6e2c143c03c3

  • SHA1

    3e8f5def9974f67c74cd902462c1c8007f90da7b

  • SHA256

    30366af83c8706dbc4a540357aa10c20a75f35efb2a6f6b72362526da550b453

  • SHA512

    29f3de9ce0e976669c2b800b396146264c85b87c7247e3f27d2d6b2c09b30c743f066ec6c18df464de2174f165cf09847846080bc1aecea54fddd249755e44ce

Malware Config

Extracted

Family

smokeloader

Botnet

sel8

Extracted

Family

smokeloader

Version

2022

C2

https://anydesk-my.com/faq/

http://anydesk-my.com/faq/

rc4.i32
rc4.i32

Extracted

Family

redline

C2

94.142.138.147:23000

Attributes
  • auth_value

    ccff08893879012905ea16489b7e8ced

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

lokibot

C2

http://2.59.254.19/fresh2/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe

    • Size

      5KB

    • MD5

      37ae53ead74452038b0c77abd3302258

    • SHA1

      a94fcde275f0cc5a6257591681eff73949006d62

    • SHA256

      ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360

    • SHA512

      5f43ab309aeda971eaad5beafc62d3a7170ba2c9e859f116d4e1242d0f42a22b0b69695d7e23b761b70d0cf2b122d775b7e3347de11a2ab7173f14cb8bdf053f

    • SSDEEP

      96:1EKnowbuz1quz1Sluz1nj3x/64PVDUtLvNv8ScpF/kVzNt:1HnoY0q0Sl0npVV2Lvh8JKv

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

MITRE ATT&CK Enterprise v15

Tasks