General

  • Target

    cb77680df3b88a997837d29478d8a9fa

  • Size

    272KB

  • Sample

    230915-pq9gmsed93

  • MD5

    cb77680df3b88a997837d29478d8a9fa

  • SHA1

    698ea26835510137871b261181e00ca26f1a96a7

  • SHA256

    8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838

  • SHA512

    670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

  • SSDEEP

    3072:rnwexBFOXwHjuJjCtQ0JGnoh2odkHl2q+H3kp/Fk8cueJUZPyMmkCnNXht6:MeYXOjudC+0HvNH3QdcueJsKMmxta

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      cb77680df3b88a997837d29478d8a9fa

    • Size

      272KB

    • MD5

      cb77680df3b88a997837d29478d8a9fa

    • SHA1

      698ea26835510137871b261181e00ca26f1a96a7

    • SHA256

      8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838

    • SHA512

      670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

    • SSDEEP

      3072:rnwexBFOXwHjuJjCtQ0JGnoh2odkHl2q+H3kp/Fk8cueJUZPyMmkCnNXht6:MeYXOjudC+0HvNH3QdcueJsKMmxta

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks