General

  • Target

    26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f

  • Size

    321KB

  • Sample

    230923-jzka8adh8v

  • MD5

    2b7286938762a111e45b96fced3e05dc

  • SHA1

    9dc07c05ff7ad86d7b7e61f4877303d776cf69aa

  • SHA256

    26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f

  • SHA512

    adb9205a57b03b7e3ed0f22876811a68e7c7d2c9699277c121d4e2e8f1a2d5deb3d94120238a6267e9b408189dd514cabd30ee636dbc3d7c2b5fef9bc1772991

  • SSDEEP

    6144:1v0QHhFek7FnaFDpMM1rxX6lX5DU4Bue:1sQB0k7FYK+l6lpUc

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.38.95.107:42494

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f

    • Size

      321KB

    • MD5

      2b7286938762a111e45b96fced3e05dc

    • SHA1

      9dc07c05ff7ad86d7b7e61f4877303d776cf69aa

    • SHA256

      26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f

    • SHA512

      adb9205a57b03b7e3ed0f22876811a68e7c7d2c9699277c121d4e2e8f1a2d5deb3d94120238a6267e9b408189dd514cabd30ee636dbc3d7c2b5fef9bc1772991

    • SSDEEP

      6144:1v0QHhFek7FnaFDpMM1rxX6lX5DU4Bue:1sQB0k7FYK+l6lpUc

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks