General

  • Target

    5e763b2204ceacf242df890d5dbee82fd696cd48b3522207f865f5c9b215c5bb

  • Size

    1.4MB

  • Sample

    231111-waq4paba63

  • MD5

    b010d525eda01c8711ca6c1b961df37d

  • SHA1

    7684a0e201046be167a44d7979a73514c6b81a1c

  • SHA256

    5e763b2204ceacf242df890d5dbee82fd696cd48b3522207f865f5c9b215c5bb

  • SHA512

    86813fe605faa18490338e8eba79b4f6e2118f614c201d449933dcd5c46fd4223f9c4669fff3d90539ecf25c62294eee7ebc7426599c10d586430f3084ef413f

  • SSDEEP

    24576:qyqfigMqcUPjbOeqIsFJQGxrSD6FKFOT/BiA+RgjddBK1IBgx9lUKWd/0fvno9:xkxlH6exwmGo+kOTUA8GtK1PLUKWd/Wf

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      5e763b2204ceacf242df890d5dbee82fd696cd48b3522207f865f5c9b215c5bb

    • Size

      1.4MB

    • MD5

      b010d525eda01c8711ca6c1b961df37d

    • SHA1

      7684a0e201046be167a44d7979a73514c6b81a1c

    • SHA256

      5e763b2204ceacf242df890d5dbee82fd696cd48b3522207f865f5c9b215c5bb

    • SHA512

      86813fe605faa18490338e8eba79b4f6e2118f614c201d449933dcd5c46fd4223f9c4669fff3d90539ecf25c62294eee7ebc7426599c10d586430f3084ef413f

    • SSDEEP

      24576:qyqfigMqcUPjbOeqIsFJQGxrSD6FKFOT/BiA+RgjddBK1IBgx9lUKWd/0fvno9:xkxlH6exwmGo+kOTUA8GtK1PLUKWd/Wf

    • Detect Mystic stealer payload

    • Detect ZGRat V1

    • Detected google phishing page

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks