General

  • Target

    35df6a30564f8166d8e2662885cf6938c71d4906033734d555683eb975c3ddb6

  • Size

    181KB

  • Sample

    230913-e8rpfaca54

  • MD5

    2a01a360f21285bdec8da4fe79fa169d

  • SHA1

    e04fbf07e608f87e151de9aac5b0b7ad16e44f3c

  • SHA256

    35df6a30564f8166d8e2662885cf6938c71d4906033734d555683eb975c3ddb6

  • SHA512

    944581be45df7d22d949f367d7e96cdc6d27e4eae3b13b2791070f58e8d7b606ecf093191cf813b6e79aa72df5ff0603204d2975d4afd2b85830e2541681880b

  • SSDEEP

    3072:JhEKILKTyJ3FR06SDYtoHsp9b1DhCmwvk+n9cMm7Man5G8DF:ftILKGdH06Skvb1Crne3wak8x

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Extracted

Family

redline

C2

38.181.25.43:3325

Attributes
  • auth_value

    082cde17c5630749ecb0376734fe99c9

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

smokiez_build

C2

194.169.175.232:45450

Attributes
  • auth_value

    2e68bc276986767f0f14a3d75567abcd

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.38.95.107:42494

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

amadey

Version

3.87

C2

http://79.137.192.18/9bDc8sQ/index.php

Attributes
  • install_dir

    577f58beff

  • install_file

    yiueea.exe

  • strings_key

    a5085075a537f09dec81cc154ec0af4d

rc4.plain

Targets

    • Target

      35df6a30564f8166d8e2662885cf6938c71d4906033734d555683eb975c3ddb6

    • Size

      181KB

    • MD5

      2a01a360f21285bdec8da4fe79fa169d

    • SHA1

      e04fbf07e608f87e151de9aac5b0b7ad16e44f3c

    • SHA256

      35df6a30564f8166d8e2662885cf6938c71d4906033734d555683eb975c3ddb6

    • SHA512

      944581be45df7d22d949f367d7e96cdc6d27e4eae3b13b2791070f58e8d7b606ecf093191cf813b6e79aa72df5ff0603204d2975d4afd2b85830e2541681880b

    • SSDEEP

      3072:JhEKILKTyJ3FR06SDYtoHsp9b1DhCmwvk+n9cMm7Man5G8DF:ftILKGdH06Skvb1Crne3wak8x

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks