Overview

overview

10

Static

static

3

26697ca6a8...e8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17a2c0150e6e483df2a2b93df792aaa5.bin

  • Size

    1.3MB

  • Sample

    231113-bhklnafd45

  • MD5

    d24aae6e3b13b0e1a97ce62e906e8875

  • SHA1

    12017125156fa8d0e7b8b311dd6de8597f95e567

  • SHA256

    4914228b4bc3cf5891cb064ae431098f07da199ea9c7fdefe109c92f362795d1

  • SHA512

    e8343f1fd9ff6416ab4dc7108a592f3cb7ffb6fc466fd2682da6c9462db2657f66d8aff25c541e09c877565f5184eb690bc01d03ff93fd3b88471a1c2f5f9ecc

  • SSDEEP

    24576:21qVWGQDis9oVhM+o1C+AcnJvEcPAGD4tOMrNgwPtd0AGVCJdKbKOFlkBu:21xvIhM+o1CgJvEqDdMrNgwVd0JIzwV9

Score
10/10
mysticraccoonredlinesmokeloaderzgratc78f27a0d43f29dbd112dbd9e387406btaigaup3backdoorevasioninfostealerpersistenceratstealerthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

raccoon

Botnet

c78f27a0d43f29dbd112dbd9e387406b

C2

http://31.192.237.23:80/

http://193.233.132.12:80/
Attributes
  • user_agent

    SunShineMoonLight

xor.plain

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Targets

    • Target

      26697ca6a89c20cbc034cf52f18535c64e354d83b9686b519b6b5c54517313e8.exe

    • Size

      1.4MB

    • MD5

      17a2c0150e6e483df2a2b93df792aaa5

    • SHA1

      d55bdcaf26aeab2bc84782476aac126b92bfe62c

    • SHA256

      26697ca6a89c20cbc034cf52f18535c64e354d83b9686b519b6b5c54517313e8

    • SHA512

      3f1ea559a3971b5acd3006d8a4b2417d48f9d4fca9a541eb66a0ca2327f7389038499cc4115d313e977187900e4013cbac2d84dfd382f3b182eb3fdeddaf6269

    • SSDEEP

      24576:DyLRy7LSIPMW0weTeaIs1W1GSYYDntp/K9fMoPQ/Qxlv6nCNjFQouJnP:WLCL/PM4Ueh6MG8ztN2fMOQYxlCnCdy5

    Score
    10/10
    mysticraccoonredlinesmokeloaderzgratc78f27a0d43f29dbd112dbd9e387406btaigaup3backdoorevasioninfostealerpersistenceratstealerthemidatrojanupx

    • Detect Mystic stealer payload

    • Detect ZGRat V1

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks