Overview

overview

10

Static

static

10

0b5ab18b1f...e2.exe

windows7-x64

10

0b5ab18b1f...e2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0b5ab18b1fb6b220e32a614dfb5b4de2.exe

  • Size

    37KB

  • Sample

    231210-2v37msfhc3

  • MD5

    0b5ab18b1fb6b220e32a614dfb5b4de2

  • SHA1

    42b2d5dcf34395173b96899113d42080f0053643

  • SHA256

    8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb

  • SHA512

    999bcc43833f18abf11804bec0acc419a03dbce7ebc3900dfd3cdb5fe8e66af5baa71f8961c13d7a38162e73206ae245d3eb2ef6eb24d1b17de001f6b6324bf7

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Score
10/10
eternitygluptebalummaredlinesmokeloadersocks5systemz@oleh_pslivetrafficup3backdoorbotnetdiscoverydropperevasioninfostealerloaderspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes
  • payload_urls

    https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

socks5systemz

Attributes
  • rc4_key

    i4hiea56#7b&dfw3

Targets

    • Target

      0b5ab18b1fb6b220e32a614dfb5b4de2.exe

    • Size

      37KB

    • MD5

      0b5ab18b1fb6b220e32a614dfb5b4de2

    • SHA1

      42b2d5dcf34395173b96899113d42080f0053643

    • SHA256

      8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb

    • SHA512

      999bcc43833f18abf11804bec0acc419a03dbce7ebc3900dfd3cdb5fe8e66af5baa71f8961c13d7a38162e73206ae245d3eb2ef6eb24d1b17de001f6b6324bf7

    • SSDEEP

      768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

    Score
    10/10
    eternitygluptebaredlinesmokeloader@oleh_pslivetrafficup3backdoordiscoverydropperevasioninfostealerloaderspywarestealertrojanlummasocks5systemzbotnet

    • Detect Lumma Stealer payload V4

    • Detect Socks5Systemz Payload

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

      botnetsocks5systemz

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks