General

  • Target

    848316a9e8e15a6c288b2395f785082f.exe

  • Size

    1.6MB

  • Sample

    231216-e2hsysadfk

  • MD5

    848316a9e8e15a6c288b2395f785082f

  • SHA1

    64b190901402704f26785dd5c815164834cc837e

  • SHA256

    af1a26b503f91e02a849536f18cc7dc1557e6e370e91406bdc35026133747fa0

  • SHA512

    eaa1e05c6c2bd2d82e6bc73355e6f4aa9d5f8befc1c05d3333260532ce3e23e91ecee86952dc44b276a5b4352c346f43cfc1b0aef317eb2a22b9c6d6219394db

  • SSDEEP

    24576:XyFXe0PrB2vlHkiYSHZ6PWYGpRTKilkkjAyRGuQb7dIDN7h0SfGLqr5Q:iJbP92vy456PPcnkkTfN7h6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

http://dayfarrichjwclik.fun/api

http://neighborhoodfeelsa.fun/api

http://ratefacilityframw.fun/api

Targets

    • Target

      848316a9e8e15a6c288b2395f785082f.exe

    • Size

      1.6MB

    • MD5

      848316a9e8e15a6c288b2395f785082f

    • SHA1

      64b190901402704f26785dd5c815164834cc837e

    • SHA256

      af1a26b503f91e02a849536f18cc7dc1557e6e370e91406bdc35026133747fa0

    • SHA512

      eaa1e05c6c2bd2d82e6bc73355e6f4aa9d5f8befc1c05d3333260532ce3e23e91ecee86952dc44b276a5b4352c346f43cfc1b0aef317eb2a22b9c6d6219394db

    • SSDEEP

      24576:XyFXe0PrB2vlHkiYSHZ6PWYGpRTKilkkjAyRGuQb7dIDN7h0SfGLqr5Q:iJbP92vy456PPcnkkTfN7h6

    • Detect Lumma Stealer payload V4

    • Detected google phishing page

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks