Resubmissions

10-12-2023 04:33

231210-e6jwtacahr 10

10-12-2023 04:09

231210-eqw67scack 10

General

  • Target

    bfae99d4151f53e647abb4f3288cf8cf.bin

  • Size

    2.5MB

  • Sample

    231210-e6jwtacahr

  • MD5

    bfae99d4151f53e647abb4f3288cf8cf

  • SHA1

    4cf27364d2ad80eaaeb276504de237e541bf640c

  • SHA256

    8c125756ce2bc007b647ac546d47f1bea26133fd330e37e6d9fa0bee98abaebe

  • SHA512

    31487cdac7a109b1001f71f07e83e104566d442b24b533754c4c600c6d736004701ad511156c886beaf52a13fc9b3ab4f28ad1a1b9db83fcc2bd2fbdd2dbcf50

  • SSDEEP

    49152:j0FEC8eMNAkJoH5asFeXCcbVDTR4PXbMuIFDQ76cEec:I29JoH7eRVPCPLMuI+GV

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Targets

    • Target

      bfae99d4151f53e647abb4f3288cf8cf.bin

    • Size

      2.5MB

    • MD5

      bfae99d4151f53e647abb4f3288cf8cf

    • SHA1

      4cf27364d2ad80eaaeb276504de237e541bf640c

    • SHA256

      8c125756ce2bc007b647ac546d47f1bea26133fd330e37e6d9fa0bee98abaebe

    • SHA512

      31487cdac7a109b1001f71f07e83e104566d442b24b533754c4c600c6d736004701ad511156c886beaf52a13fc9b3ab4f28ad1a1b9db83fcc2bd2fbdd2dbcf50

    • SSDEEP

      49152:j0FEC8eMNAkJoH5asFeXCcbVDTR4PXbMuIFDQ76cEec:I29JoH7eRVPCPLMuI+GV

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks