General

  • Target

    a4528118f9eb27264827d48f387f76aa.bin

  • Size

    2.6MB

  • Sample

    231210-ecpj7sbhel

  • MD5

    4fdae069d520b9cf6b22e97803c28e57

  • SHA1

    c7efc7ca769d1d337b332a86ba8b02cf70556aa0

  • SHA256

    3962583f63f105ee5d8693a5f1e1eef01bf4bb890d2775c1d4e93dbbfa634788

  • SHA512

    16eabb111a2e3d35da64333772b5f65c413e3afc9716d4a3265d2cf3b3c4e8ab579fa7f2163bc9b3ef70cab60a407b1a9a6fea06b150c20748e24a41abeefba8

  • SSDEEP

    49152:Ls7b1eLboUYJFZSyBMCgYm8590EivlGGXMJ8/HQ2jlVwuli3BmRM2z6IvIjhV:Q7bXUYr3gYmS0XBB/HQmbwUM29vIjhV

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Targets

    • Target

      5e1c1fe206f1a77acc98ab7256c10c1477924786d96d8b079ac2218f20ac582c.exe

    • Size

      2.7MB

    • MD5

      a4528118f9eb27264827d48f387f76aa

    • SHA1

      d7b548a78eba05f493453af8c463711ebbca6f6a

    • SHA256

      5e1c1fe206f1a77acc98ab7256c10c1477924786d96d8b079ac2218f20ac582c

    • SHA512

      66865dacd2ff847a7118bb84ab761ed96c18f430e41971fca57d5cc97a4b1eb2ebc9aab4610393ab8d8837957b93f2a00f4f4c70ecc7aaeaabb86b789ea7473e

    • SSDEEP

      49152:M8DAzojboQXqz54zhq/Q37bDKESzZCLaegL3zuBoMWwp4FpG:Bp/094zf7vvSFCWfjuEwW

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks