General

  • Target

    31b1fb423d3a3b65e6df0a5bb5e7b26e.bin

  • Size

    148KB

  • Sample

    230915-bh97baah23

  • MD5

    3902dfa977d09d92a58209373bac1b52

  • SHA1

    43d929e43efeaf1bdff873c3664d72692c2683b9

  • SHA256

    588ebf6295afef0d5e3196e90e9ea6df977f288def7e2308151ac6d36fbcbb02

  • SHA512

    818e73492bf5169b53db5812370cfc7392a1628f84a8cf2617c15b53c61d85895ca1f782b3044d28de1ca289fdc7dc65593baa99e35e5cccd213ac79bf037bf8

  • SSDEEP

    3072:vmLUD+ovJs6A7y21ex4tFXLwr7UbyU+K+YXXfxnpqAikNw35b72jTICPW:+q1W7NeAXsEWUV7fRA52w35X2jPW

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

Botnet

1467882962796800663244393688

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      4201248030180127dc4299a4dbcc6cde35beaafbefd9a25ffb3093d3e35f5dc2.bin

    • Size

      301KB

    • MD5

      31b1fb423d3a3b65e6df0a5bb5e7b26e

    • SHA1

      3cb7b522415c3ee912c3086068b34602b63ec909

    • SHA256

      4201248030180127dc4299a4dbcc6cde35beaafbefd9a25ffb3093d3e35f5dc2

    • SHA512

      b96b8329565fcf4baf390730a734fc41ee0b2f9926d806d05031fae4a649664d5d4c392025abc4d40ba7e383d6ee3bfe55c6d062ebdfb895c91d4fc86e59bb1b

    • SSDEEP

      3072:gXrBniTRheshgU869bFVwuzl4IdS4wQQxS3pduERe+InC3:kxajeshgUt9bLjpZYQQx+6n

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks