General

  • Target

    8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76_JC.exe

  • Size

    301KB

  • Sample

    230915-qa4rwsbh3w

  • MD5

    04439e826dcb2e4487b513b47f70281d

  • SHA1

    61a457b1f1e826c52456131bcfa9dcab54571799

  • SHA256

    8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76

  • SHA512

    04f41d20bfe2bf265dd0d97c5ccbb74dd0bee8c214f7fd458449050f832473c0f19a3a2477fde883e7630bd54d8eb186885bc27c9d3f75b7a6102dbc22c38cab

  • SSDEEP

    3072:4PKOnklY9rnLDSyVV0kVGlyGTYMewbJV7Na8gc/lo44hNZ0brnx0c3:ts19rnLDSyVyIIy0HbJV7g8V9TyNK

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76_JC.exe

    • Size

      301KB

    • MD5

      04439e826dcb2e4487b513b47f70281d

    • SHA1

      61a457b1f1e826c52456131bcfa9dcab54571799

    • SHA256

      8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76

    • SHA512

      04f41d20bfe2bf265dd0d97c5ccbb74dd0bee8c214f7fd458449050f832473c0f19a3a2477fde883e7630bd54d8eb186885bc27c9d3f75b7a6102dbc22c38cab

    • SSDEEP

      3072:4PKOnklY9rnLDSyVV0kVGlyGTYMewbJV7Na8gc/lo44hNZ0brnx0c3:ts19rnLDSyVyIIy0HbJV7g8V9TyNK

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks