General

  • Target

    fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c_JC.exe

  • Size

    301KB

  • Sample

    230914-wpjyxsdh61

  • MD5

    92655ee9fd597b85b09a085a2c21fbe1

  • SHA1

    f60f980e9a5c315722b3953638f9f5da85ed4a7e

  • SHA256

    fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c

  • SHA512

    b01ccaf9c11c7ed1d3e2765c2f5590e53ba3ddac41a651298bf92028dccc0120431b91fc430b1cb587b3014f17e386605eba27559aa425e6f8beb7da23dc165c

  • SSDEEP

    3072:WGFC2nPsomShMORKs+l5DRWcOQCFOTcCshoPvsAN5N0NUO8J:jF0omShrRTcDRBOLOTcA/Ub

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

Botnet

1467882962796800663244393688

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c_JC.exe

    • Size

      301KB

    • MD5

      92655ee9fd597b85b09a085a2c21fbe1

    • SHA1

      f60f980e9a5c315722b3953638f9f5da85ed4a7e

    • SHA256

      fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c

    • SHA512

      b01ccaf9c11c7ed1d3e2765c2f5590e53ba3ddac41a651298bf92028dccc0120431b91fc430b1cb587b3014f17e386605eba27559aa425e6f8beb7da23dc165c

    • SSDEEP

      3072:WGFC2nPsomShMORKs+l5DRWcOQCFOTcCshoPvsAN5N0NUO8J:jF0omShrRTcDRBOLOTcA/Ub

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks