General

  • Target

    bd619c2eac464daef651344ce2d88847.bin

  • Size

    1.3MB

  • Sample

    230922-cjl2jsbg8t

  • MD5

    417f5ee23cca906bda97cdbd2dfcabdf

  • SHA1

    90238d66f6bbf11baaaa76b9bc4a25d39278d18f

  • SHA256

    78aac59fdbd7f9c0e811b78a95441ce61dd27371be85318bd4e69f847471e103

  • SHA512

    1be26c8f58e771c7962f4a46684737d0c008581c06a5e95cdb77b9e07bbe6456f3dcd608b0f20966f1fa2d9893433d71657f0700ef4165d096d5507bce3c6a27

  • SSDEEP

    24576:dHGm5xKKI6UlovEtghWPPxBY5B4j1MbwUPZ7Ski2R/W+HQTUHBrlt:5F8GT0xIej1bki2uTUHBlt

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      1f2fd9f5bd935796629c5a50dd8dada92992a2020aa41c2db444630ca2ba72eb.exe

    • Size

      1.3MB

    • MD5

      bd619c2eac464daef651344ce2d88847

    • SHA1

      54e5e75aff9f8672facf8d82efdf4ebc3e9044f4

    • SHA256

      1f2fd9f5bd935796629c5a50dd8dada92992a2020aa41c2db444630ca2ba72eb

    • SHA512

      870b88cd108487ec44689261bed5cc7a6426f46a346382d482e0e0ec4c4e2e2f79bb2cb6f5d745d05225be994e7f7b980ca557b41f146b045799d40874c5d515

    • SSDEEP

      24576:NyHtS9hAtuW3mXiT25itgMZkgdqaroNfBWV9u7JzAtOvU2z81yfrW:oHAvAgWaiT2hMZH3oNom7Jc+7j

    • Detects Healer an antivirus disabler dropper

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks