General

  • Target

    073462961b7a6ad2577b52ad36ff853a.bin

  • Size

    138KB

  • Sample

    230923-bczhmabb8y

  • MD5

    75ca2e8f3e5b997c6630f57e1d4791c5

  • SHA1

    15d3dfffb4e23d946b195847a3df5eca33d7a61a

  • SHA256

    1a512233faf8999e015d8838f1a38197fefc249eae8923cfcf2446b40373ee96

  • SHA512

    5873f2d27f8a8d0ab022f81732fd369be49c88a20198175a3aac2ecb6c7fd599bbc1cec84fd7228ac7a4acdbc8e02639089dd90204add3b11cce6bb2332500c1

  • SSDEEP

    3072:H8Ccj1B7NdnLEb3T8z3WMOygLqE1m85NoJLZJvpkb8C3DH:cCcj1BJdnLeIz3WMOygLZ+LZJ+dDH

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.38.95.107:42494

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Targets

    • Target

      e7b03db448a2b1491bc92d659af57e4ff42e91616bb9d9ddce9b0e22b31517e8.exe

    • Size

      293KB

    • MD5

      073462961b7a6ad2577b52ad36ff853a

    • SHA1

      e1905413849a8552196584ce55b4af0687c65879

    • SHA256

      e7b03db448a2b1491bc92d659af57e4ff42e91616bb9d9ddce9b0e22b31517e8

    • SHA512

      8855fc1bd3570b68b4b9b056a4b9e38e333b26fa877bfbcf44cf68783bac055aefefd0ce93f56f08d1e807e08e31ac8f3ad24642d7d8561763cae0ae36521ce0

    • SSDEEP

      3072:3onX/pzSGvDXvnxbZVXEPaBNxhsLT931anbcA6TArzg85ve:4X/ZSIPxlVXEyBpyT54F6TAfg8F

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks