General

  • Target

    c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1_JC.exe

  • Size

    299KB

  • Sample

    230915-qqespseh29

  • MD5

    08f32f388b42aab675eea1bf2d60d770

  • SHA1

    e53e062934952fa51c68a9400afa631880ccebe6

  • SHA256

    c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1

  • SHA512

    82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7

  • SSDEEP

    3072:W2CP+T3inIYGANRRZgJw8KmC1qr1NFCAoJGwMjLAAJgR3:GPKinIYXNRQ685RxIeJg

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://85.209.11.51

Attributes
  • url_path

    /fefb4a458e1dc58b.php

rc4.plain

Targets

    • Target

      c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1_JC.exe

    • Size

      299KB

    • MD5

      08f32f388b42aab675eea1bf2d60d770

    • SHA1

      e53e062934952fa51c68a9400afa631880ccebe6

    • SHA256

      c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1

    • SHA512

      82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7

    • SSDEEP

      3072:W2CP+T3inIYGANRRZgJw8KmC1qr1NFCAoJGwMjLAAJgR3:GPKinIYXNRQ685RxIeJg

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks