General

  • Target

    762d58dcf2178e53f6f5dc3d9e57dc7b0236b7aa7a131286c6056d03601ad61f

  • Size

    1.2MB

  • Sample

    231209-2911tsahaq

  • MD5

    3449de5dd315f0a264d48a27c641b924

  • SHA1

    0be8b0b5f156a66c43db17972e367bc4429dc7ea

  • SHA256

    762d58dcf2178e53f6f5dc3d9e57dc7b0236b7aa7a131286c6056d03601ad61f

  • SHA512

    52b8397f7a9d117e14cc055da6330cc470b708bd6553919c493cfe5472c637fa48737c0d1940f4f47fb6b9d27466ce88b26d66f89e3806bea2a4ff4a20d475cd

  • SSDEEP

    24576:yyxWqnC1/6/hd4y3rNh2Wb18zK/Os4yXK1P98jxRny/0glj:Z0qCspvJ4Wb18zK/NU18jxy0g

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Targets

    • Target

      762d58dcf2178e53f6f5dc3d9e57dc7b0236b7aa7a131286c6056d03601ad61f

    • Size

      1.2MB

    • MD5

      3449de5dd315f0a264d48a27c641b924

    • SHA1

      0be8b0b5f156a66c43db17972e367bc4429dc7ea

    • SHA256

      762d58dcf2178e53f6f5dc3d9e57dc7b0236b7aa7a131286c6056d03601ad61f

    • SHA512

      52b8397f7a9d117e14cc055da6330cc470b708bd6553919c493cfe5472c637fa48737c0d1940f4f47fb6b9d27466ce88b26d66f89e3806bea2a4ff4a20d475cd

    • SSDEEP

      24576:yyxWqnC1/6/hd4y3rNh2Wb18zK/Os4yXK1P98jxRny/0glj:Z0qCspvJ4Wb18zK/NU18jxy0g

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks