Overview

overview

10

Static

static

10

0x00060000...46.exe

windows7-x64

10

0x00060000...46.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0x000600000002324d-46.dat

  • Size

    38KB

  • Sample

    231129-ttajyahg9w

  • MD5

    4bc90f1f9e9962bd7f2e5136bc0b0ddb

  • SHA1

    dabd8318724fcb6fe91f2cbe8d1bf807e321b92d

  • SHA256

    e48cc9b5b9edd213a0fb10cd355342ea85550096ccadf93431041b0be486b8a4

  • SHA512

    d32e7779fb5a896792ec6bb0743290eac6ca801b39ce75c0e15315c028c45b5a22f4752d006d19e0b5937d0c937fcdce6cabb7fd0c857a5428ca7b3007e72625

  • SSDEEP

    768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV

Score
10/10
gluptebaredlinesmokeloaderzgrat@ytlogsbotlivetrafficup3backdoordiscoverydropperevasioninfostealerloaderratspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

redline

Botnet

LiveTraffic

C2

195.10.205.16:2245

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      0x000600000002324d-46.dat

    • Size

      38KB

    • MD5

      4bc90f1f9e9962bd7f2e5136bc0b0ddb

    • SHA1

      dabd8318724fcb6fe91f2cbe8d1bf807e321b92d

    • SHA256

      e48cc9b5b9edd213a0fb10cd355342ea85550096ccadf93431041b0be486b8a4

    • SHA512

      d32e7779fb5a896792ec6bb0743290eac6ca801b39ce75c0e15315c028c45b5a22f4752d006d19e0b5937d0c937fcdce6cabb7fd0c857a5428ca7b3007e72625

    • SSDEEP

      768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV

    Score
    10/10
    gluptebaredlinesmokeloaderzgrat@ytlogsbotlivetrafficup3backdoordiscoverydropperevasioninfostealerloaderratspywarestealertrojan

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks