General

  • Target

    NEAS.b21ac7a7e7665cb061023ea040020fe86c09c6b8b724ec1666e92b659a1ffadc.exe

  • Size

    692KB

  • Sample

    231111-mjtfqsde81

  • MD5

    7b8a1cffeb1ec330b25c1f873c354b93

  • SHA1

    c65b3299d9660770e0c27764e6a8487b4b300558

  • SHA256

    b21ac7a7e7665cb061023ea040020fe86c09c6b8b724ec1666e92b659a1ffadc

  • SHA512

    a65cb7866927e8926c73d7db2938db5e822c571ca6895854e28dfa31846786731ef2d165061e18081871b428c18d50cb53ac01e05a240ff70b6936cb25d39c2b

  • SSDEEP

    12288:nMrky90Fa06TekBR/1K2cGdoI/h010yIwPWM441Y8rUk2Rea7FFUxt06ap8HhUpv:7y2n6Ku5zdJhoNfWVQY+x2Rea7sx7ap9

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelnew2.0

C2

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      NEAS.b21ac7a7e7665cb061023ea040020fe86c09c6b8b724ec1666e92b659a1ffadc.exe

    • Size

      692KB

    • MD5

      7b8a1cffeb1ec330b25c1f873c354b93

    • SHA1

      c65b3299d9660770e0c27764e6a8487b4b300558

    • SHA256

      b21ac7a7e7665cb061023ea040020fe86c09c6b8b724ec1666e92b659a1ffadc

    • SHA512

      a65cb7866927e8926c73d7db2938db5e822c571ca6895854e28dfa31846786731ef2d165061e18081871b428c18d50cb53ac01e05a240ff70b6936cb25d39c2b

    • SSDEEP

      12288:nMrky90Fa06TekBR/1K2cGdoI/h010yIwPWM441Y8rUk2Rea7FFUxt06ap8HhUpv:7y2n6Ku5zdJhoNfWVQY+x2Rea7sx7ap9

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Mystic stealer payload

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks