General

  • Target

    d20d1547596341380bc31854107cf43dff4095e95f9f3d840237b31e38e3c201

  • Size

    240KB

  • Sample

    230923-hqb3tadf4x

  • MD5

    3d8ed33cfcf972b853765036508ff133

  • SHA1

    1ffea0bd61b1315e5f6298bea7cf15a89088d406

  • SHA256

    d20d1547596341380bc31854107cf43dff4095e95f9f3d840237b31e38e3c201

  • SHA512

    5959f2d9773489c580096f81938ee375fe2ef7a7651b004fd6551868074207f78b159c71141cfeaf43125864f29a2a9863c69cec4b123488440d46c918bf9327

  • SSDEEP

    6144:9A5frpxdonyq4zaG2u5AO8eKRzSCmP8/2B/3quqp:9erp0/9u5ye5vquqp

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Targets

    • Target

      d20d1547596341380bc31854107cf43dff4095e95f9f3d840237b31e38e3c201

    • Size

      240KB

    • MD5

      3d8ed33cfcf972b853765036508ff133

    • SHA1

      1ffea0bd61b1315e5f6298bea7cf15a89088d406

    • SHA256

      d20d1547596341380bc31854107cf43dff4095e95f9f3d840237b31e38e3c201

    • SHA512

      5959f2d9773489c580096f81938ee375fe2ef7a7651b004fd6551868074207f78b159c71141cfeaf43125864f29a2a9863c69cec4b123488440d46c918bf9327

    • SSDEEP

      6144:9A5frpxdonyq4zaG2u5AO8eKRzSCmP8/2B/3quqp:9erp0/9u5ye5vquqp

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks