General

  • Target

    NEAS.71334cb3df06b322134688d24e5b8620d691a38ac42d72c5c0071b3de563fcb4.exe

  • Size

    1.0MB

  • Sample

    231111-mcrcssdd5t

  • MD5

    fe23f72033657a1b5438df084ebcb017

  • SHA1

    7b7c12339c043012c82c6222873eec5db78f39a7

  • SHA256

    71334cb3df06b322134688d24e5b8620d691a38ac42d72c5c0071b3de563fcb4

  • SHA512

    212790421e014eda361ee0eed1f4e1bc6cddadd9775f908ef723e69993ecc65378c874dd94318d93d09e6eec2e80d4c280a0249097d677745a48da873fc75d71

  • SSDEEP

    24576:JyiONw2aML3TTkgaepIslCeG1+5DdIbfUawtNvNd1+qjrBE4m2GKz:8iONjnTTueSyZGMefTANvNd1/jex2

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelnew2.0

C2

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      NEAS.71334cb3df06b322134688d24e5b8620d691a38ac42d72c5c0071b3de563fcb4.exe

    • Size

      1.0MB

    • MD5

      fe23f72033657a1b5438df084ebcb017

    • SHA1

      7b7c12339c043012c82c6222873eec5db78f39a7

    • SHA256

      71334cb3df06b322134688d24e5b8620d691a38ac42d72c5c0071b3de563fcb4

    • SHA512

      212790421e014eda361ee0eed1f4e1bc6cddadd9775f908ef723e69993ecc65378c874dd94318d93d09e6eec2e80d4c280a0249097d677745a48da873fc75d71

    • SSDEEP

      24576:JyiONw2aML3TTkgaepIslCeG1+5DdIbfUawtNvNd1+qjrBE4m2GKz:8iONjnTTueSyZGMefTANvNd1/jex2

    • Detect Mystic stealer payload

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks