General

  • Target

    c0fd1cdae82c73dc38c0b520ca35d21e76246234f67881401019b935cb0d53c8

  • Size

    935KB

  • Sample

    230924-azhmysch43

  • MD5

    058af984a19ee8094d4a73b29ac0d98b

  • SHA1

    94166f5ac459f4161c1e5ce71a8b41e79c3dfd9f

  • SHA256

    c0fd1cdae82c73dc38c0b520ca35d21e76246234f67881401019b935cb0d53c8

  • SHA512

    5f8f377b959ead9e82e57efa68cf6ee50013ad4a4c6dcdbdd31f52eddbf9d5a9749ce43606681352ac717628a33b7c7ad519f9cf16e60501ea9761dfa5895a40

  • SSDEEP

    24576:+yOV7S/SSeqK/VqjRNVY7s0WEGZwjChkEhEb2O1:NK7S/bvK/M1NVt0WEVCCaEbz

Malware Config

Extracted

Family

redline

Botnet

nanya

C2

77.91.124.82:19071

Attributes
  • auth_value

    640aa5afe54f566d8795f0dc723f8b52

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      c0fd1cdae82c73dc38c0b520ca35d21e76246234f67881401019b935cb0d53c8

    • Size

      935KB

    • MD5

      058af984a19ee8094d4a73b29ac0d98b

    • SHA1

      94166f5ac459f4161c1e5ce71a8b41e79c3dfd9f

    • SHA256

      c0fd1cdae82c73dc38c0b520ca35d21e76246234f67881401019b935cb0d53c8

    • SHA512

      5f8f377b959ead9e82e57efa68cf6ee50013ad4a4c6dcdbdd31f52eddbf9d5a9749ce43606681352ac717628a33b7c7ad519f9cf16e60501ea9761dfa5895a40

    • SSDEEP

      24576:+yOV7S/SSeqK/VqjRNVY7s0WEGZwjChkEhEb2O1:NK7S/bvK/M1NVt0WEVCCaEbz

    • Detect Fabookie payload

    • Detect rhadamanthys stealer shellcode

    • Detects Healer an antivirus disabler dropper

    • Fabookie

      Fabookie is facebook account info stealer.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks