General

  • Target

    57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329_JC.exe

  • Size

    298KB

  • Sample

    230915-py79jsbf91

  • MD5

    f4d73b7bcfcdc85f236054d09e6ad097

  • SHA1

    2a7159b0a2efd5f912886bc6bc2e0d29cee577b6

  • SHA256

    57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329

  • SHA512

    bdae0fee3ea5439f53459254270e20ec0de3a20f2911bf4bf7301a608fb2eba4ee3eacbf758af3499ec81dc05eedb0f2358e49b1e170b8e00d4e362292235743

  • SSDEEP

    3072:n2ufjT/ih9nQU/HGZg2fB8Ik5ueI7DwLRc9P2OIC/IM+FURL3:xfvih9nd/H7221udnwdclP/I0

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329_JC.exe

    • Size

      298KB

    • MD5

      f4d73b7bcfcdc85f236054d09e6ad097

    • SHA1

      2a7159b0a2efd5f912886bc6bc2e0d29cee577b6

    • SHA256

      57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329

    • SHA512

      bdae0fee3ea5439f53459254270e20ec0de3a20f2911bf4bf7301a608fb2eba4ee3eacbf758af3499ec81dc05eedb0f2358e49b1e170b8e00d4e362292235743

    • SSDEEP

      3072:n2ufjT/ih9nQU/HGZg2fB8Ik5ueI7DwLRc9P2OIC/IM+FURL3:xfvih9nd/H7221udnwdclP/I0

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks