General

  • Target

    NEAS.0e64858054dfd64efa0cc26a336e17bf89d1e67dc7fca8c8797fab1a22a7e2bd.exe

  • Size

    692KB

  • Sample

    231111-mkvp7aee49

  • MD5

    bd9aab77c236a692c4bf2dfa9b8e2e64

  • SHA1

    293a194fb994476ddaead892a70ce5528cf411e1

  • SHA256

    0e64858054dfd64efa0cc26a336e17bf89d1e67dc7fca8c8797fab1a22a7e2bd

  • SHA512

    0d155d3dbf8f4527a83b0aee3af0622e45df0a5f39fa937ab4b8e51cc8e50b1754b18ddd6bfb14a65f6a461f7dfe9935f05413167a66e61313e71af3bb154221

  • SSDEEP

    12288:CMray90NRZkZ9txPOEfhxQfbKONY8OU72LWDPiMgI585J4q3W2H4Mk7W4:EyYzIPOkybKONY722LWDaMgu32H4rS4

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelnew2.0

C2

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      NEAS.0e64858054dfd64efa0cc26a336e17bf89d1e67dc7fca8c8797fab1a22a7e2bd.exe

    • Size

      692KB

    • MD5

      bd9aab77c236a692c4bf2dfa9b8e2e64

    • SHA1

      293a194fb994476ddaead892a70ce5528cf411e1

    • SHA256

      0e64858054dfd64efa0cc26a336e17bf89d1e67dc7fca8c8797fab1a22a7e2bd

    • SHA512

      0d155d3dbf8f4527a83b0aee3af0622e45df0a5f39fa937ab4b8e51cc8e50b1754b18ddd6bfb14a65f6a461f7dfe9935f05413167a66e61313e71af3bb154221

    • SSDEEP

      12288:CMray90NRZkZ9txPOEfhxQfbKONY8OU72LWDPiMgI585J4q3W2H4Mk7W4:EyYzIPOkybKONY722LWDaMgu32H4rS4

    • Detect Mystic stealer payload

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks