General

  • Target

    1a8b0853338c0e0eab5d13746038fae9.bin

  • Size

    150KB

  • Sample

    230915-beqcqsag95

  • MD5

    338f6626b692f7b34ce454d57a4d1e6d

  • SHA1

    8dc5b5773dbe32403110d0624e0f4552841997f1

  • SHA256

    b383c265c95b2dfbf5b3194398ccdd462abae212792a6087f016f047230a9adf

  • SHA512

    6a211ed64768b26893d25c49e8de775ca21dd8483b08f30e508776b34ecd78b20828eee8746f2492611264ec9d0168b96552dd067f65a462902dcb9117c21d7c

  • SSDEEP

    3072:Yfneu06bkoEAZCEftzQryfXhTiD9wsq5aWH+ZNr09Xx899UKy:AnrJDEyfXhTiDGGZNr09XACKy

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

Botnet

1467882962796800663244393688

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      1a8b0853338c0e0eab5d13746038fae9.bin

    • Size

      150KB

    • MD5

      338f6626b692f7b34ce454d57a4d1e6d

    • SHA1

      8dc5b5773dbe32403110d0624e0f4552841997f1

    • SHA256

      b383c265c95b2dfbf5b3194398ccdd462abae212792a6087f016f047230a9adf

    • SHA512

      6a211ed64768b26893d25c49e8de775ca21dd8483b08f30e508776b34ecd78b20828eee8746f2492611264ec9d0168b96552dd067f65a462902dcb9117c21d7c

    • SSDEEP

      3072:Yfneu06bkoEAZCEftzQryfXhTiD9wsq5aWH+ZNr09Xx899UKy:AnrJDEyfXhTiDGGZNr09XACKy

    Score
    1/10
    • Target

      947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0.bin

    • Size

      302KB

    • MD5

      1a8b0853338c0e0eab5d13746038fae9

    • SHA1

      3132faa6943319d0d6a29940698c2fc39fb89062

    • SHA256

      947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0

    • SHA512

      f2c27edad737d0bc82309bb8fe723fd43fa04a320928ab115fcaba1751a81a6d36ea0ccfd4e5eda6aa520f3afd31047630b6c3eb2387a8d9d4d79ba0c3b99cd4

    • SSDEEP

      3072:OOVBnvCNeLj8S+rLFOhgEl1L1JhrEX7CqluMFkaysVq8fnYO8J:vxoeLj8SKLF0j1LXhQLfoq/7R

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks