General

  • Target

    c708c06ac006be2c5cf4391e70e1c253.bin

  • Size

    149KB

  • Sample

    230915-b5qfesba38

  • MD5

    94ea92c19106bf781d49fbf0065364ba

  • SHA1

    e4d73ff7f63408bbf82fdead6d884dba1549d27d

  • SHA256

    d15d43361e526465a90fd20ff15d50b37db02d6a5d0c037568eb745b5c0ce30d

  • SHA512

    826525bfd7eb05930c10c9753518f687bcdcee7e01679522194b738af1e2c410260d82036a3e5eaa97f79c27b05e400052807930800ee519af7defd031fb6165

  • SSDEEP

    3072:tbLRl4Sl5mwFpip1Y1xV4qwuhdtHNn5/KBej9Q/eYhRDgoYd3:tvRbmwFwpyr9RdN/KcKVAd

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

Botnet

1467882962796800663244393688

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      77fcb3294002ee5ecfbd36825e19d038a4d7d213734758dae1fa731bfa2b1058.bin

    • Size

      301KB

    • MD5

      c708c06ac006be2c5cf4391e70e1c253

    • SHA1

      373018a482fe73923068acb59aec1a92df283481

    • SHA256

      77fcb3294002ee5ecfbd36825e19d038a4d7d213734758dae1fa731bfa2b1058

    • SHA512

      557c5764f2fb536597775f91a484843bdcee8ca14dc61b69795aa68c8d74dca9ea6b2aa9e2015c98d7dd8f17e1b3e95f6ebff35275eb51200317ad19e3881e9c

    • SSDEEP

      6144:KcFenSVdEdILeE783DJQmEQwVHn7hHLG:KhnqdcSCe7di

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks