General
-
Target
b6ecd4da57d1a64af6e974a3a1410af3f9bb5289965f240dace24045f4d51d1e
-
Size
240KB
-
Sample
230922-szvxdsgh81
-
MD5
83c2dcd20217ac522e14f3ef3f40ce47
-
SHA1
059c29dd76de9e8c41e0feca4a5285735ac7277e
-
SHA256
b6ecd4da57d1a64af6e974a3a1410af3f9bb5289965f240dace24045f4d51d1e
-
SHA512
99dccc2e96c99e68d8a767d4663469b20999255dbc9168099d92287a59af2c27ed9a76473e5247af3d75063d02096050a8aba05c5628632077ec1ef98d0fb922
-
SSDEEP
6144:9L5frpxdonyq4zaG2u5AOUeKDy//bquqp:9lrp0/9u5Se4y/Dquqp
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
b6ecd4da57d1a64af6e974a3a1410af3f9bb5289965f240dace24045f4d51d1e
-
Size
240KB
-
MD5
83c2dcd20217ac522e14f3ef3f40ce47
-
SHA1
059c29dd76de9e8c41e0feca4a5285735ac7277e
-
SHA256
b6ecd4da57d1a64af6e974a3a1410af3f9bb5289965f240dace24045f4d51d1e
-
SHA512
99dccc2e96c99e68d8a767d4663469b20999255dbc9168099d92287a59af2c27ed9a76473e5247af3d75063d02096050a8aba05c5628632077ec1ef98d0fb922
-
SSDEEP
6144:9L5frpxdonyq4zaG2u5AOUeKDy//bquqp:9lrp0/9u5Se4y/Dquqp
Score10/10-
Detected google phishing page
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-