General

  • Target

    51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546

  • Size

    1MB

  • Sample

    231129-sdde8ahc3t

  • MD5

    725e7553e971593c87fa1ca820258a1b

  • SHA1

    d2e5b957a1801a015d2b7d3049003f0bcc931241

  • SHA256

    51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546

  • SHA512

    52b00a4f998d332b407a8bfebdf5a6e9eff098f3fcdbc981e9a9aa2552851f6e561013c84bf581de239a8b3d6097f67133510c8f03e087596ab0799c3a507573

  • SSDEEP

    49152:ahHeKAu3wSWikXcE+QC+sd4rX+zl+x5KALtnQimIv9g:vWwpiknRWlZwV

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

redline

Botnet

LiveTraffic

C2

195.10.205.16:2245

Targets

    • Target

      51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546

    • Size

      1MB

    • MD5

      725e7553e971593c87fa1ca820258a1b

    • SHA1

      d2e5b957a1801a015d2b7d3049003f0bcc931241

    • SHA256

      51121794f13e6a676fee56a6cb7d289286377962288dbe0a6f366f03173fd546

    • SHA512

      52b00a4f998d332b407a8bfebdf5a6e9eff098f3fcdbc981e9a9aa2552851f6e561013c84bf581de239a8b3d6097f67133510c8f03e087596ab0799c3a507573

    • SSDEEP

      49152:ahHeKAu3wSWikXcE+QC+sd4rX+zl+x5KALtnQimIv9g:vWwpiknRWlZwV

    • Detect ZGRat V1

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks