General

  • Target

    868532d1519c35f5286db7166055711d.exe

  • Size

    297KB

  • Sample

    230915-f4ae2agh61

  • MD5

    868532d1519c35f5286db7166055711d

  • SHA1

    ed85a798e92814ce6e1295dddde8fcbda29fea8b

  • SHA256

    9efbde4de467c8a82b270b40c014c4243284b016bd2788164d85012f36aed0ad

  • SHA512

    ffa91bd694e67679fa65a290402bccf83f53b0b47f5fffb70eb8e01b04c59770c58da47dd92f2ad169c58478e01ca24766b00c8d6e8f0b66d2bc3eb66943be60

  • SSDEEP

    3072:3lFu+hvmXyBQVicAm1GDBwaFns+QaT3z9JEJupAxQQ3V5qoKhNwav7ZNN9nw37v:1Fu+YXyBQfA/1vJdHIEp0QkXyN9Xn

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

Botnet

1467882962796800663244393688

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      868532d1519c35f5286db7166055711d.exe

    • Size

      297KB

    • MD5

      868532d1519c35f5286db7166055711d

    • SHA1

      ed85a798e92814ce6e1295dddde8fcbda29fea8b

    • SHA256

      9efbde4de467c8a82b270b40c014c4243284b016bd2788164d85012f36aed0ad

    • SHA512

      ffa91bd694e67679fa65a290402bccf83f53b0b47f5fffb70eb8e01b04c59770c58da47dd92f2ad169c58478e01ca24766b00c8d6e8f0b66d2bc3eb66943be60

    • SSDEEP

      3072:3lFu+hvmXyBQVicAm1GDBwaFns+QaT3z9JEJupAxQQ3V5qoKhNwav7ZNN9nw37v:1Fu+YXyBQfA/1vJdHIEp0QkXyN9Xn

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks