General

  • Target

    55d9adccc23e04d44903b3f881a2d2ae.bin

  • Size

    138KB

  • Sample

    230923-b96yzadd33

  • MD5

    5be7fbbf93ee299f848a96a2adb20cb8

  • SHA1

    d12efc4208bd8e438bae2077473d83bbdcce5085

  • SHA256

    cceffdf87e80c6368dda54a5faf4e7835aa590f242499cd6173d71b19bfa1f1a

  • SHA512

    b0d88e872cd7a5af73ede714b469e15972facbcb1ec4260dc323754fe02e7e43935b9a8b57440cf97b4bb8a6b75864d087c7056ae81698c6b023c5cda4890137

  • SSDEEP

    3072:/10gCLq+onq9E8uwL3P3vxAwBlM1pP9+WkfjKdIRk5CnyKUt://CL13yu3vx6XfuKqk58e

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.38.95.107:42494

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Targets

    • Target

      b691fce33f6868054ae5d9e77b6bb6f6e75084ba7a63c85dc336edeededc0ad6.exe

    • Size

      293KB

    • MD5

      55d9adccc23e04d44903b3f881a2d2ae

    • SHA1

      d3125be139796ea4402fc189941003bebe977b05

    • SHA256

      b691fce33f6868054ae5d9e77b6bb6f6e75084ba7a63c85dc336edeededc0ad6

    • SHA512

      b07e424b892d76195ad8a05222783681e3c5f869c513b2ac026f8f5d64cc06eea44140c5d935d29e61aab47f5a176ec99fc9f0eb111d24ecb47819f9fb00df26

    • SSDEEP

      3072:AX/XspzS8/ijVQx5qUSv1rIC2jyiZSFeFEWv4JmXNcBf1IBg85ve:EvsZSPqxHSvaC22WSFeFXvNcBfKg8F

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks