General

  • Target

    23ddb64da4c6ba1df9384169ba35804c.exe

  • Size

    1.6MB

  • Sample

    231216-ejg4psbga9

  • MD5

    23ddb64da4c6ba1df9384169ba35804c

  • SHA1

    e12800387297e2e7209ea7ca3682f57d2d1695ad

  • SHA256

    f127cc97b1804964609ab8d528fd50cb1f3310ec2e710eb55c443c8d53362d98

  • SHA512

    0577eb9d8ff2d1ded4e1bce423d679a8e834d504a681d7e1b801dc5f920e126b8dd8dc23359fd88d73a599112e1aa6368d04f6b70d26d4ddb226d3233846ce62

  • SSDEEP

    24576:jyEXRtTci7u/0FLM6nvl/PkbVK7m9s0kI6opDlXabKhYFFfPUeYnTdrrER:2EXtYK4evlUoq2+6oXINchBX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

http://dayfarrichjwclik.fun/api

http://neighborhoodfeelsa.fun/api

http://ratefacilityframw.fun/api

Targets

    • Target

      23ddb64da4c6ba1df9384169ba35804c.exe

    • Size

      1.6MB

    • MD5

      23ddb64da4c6ba1df9384169ba35804c

    • SHA1

      e12800387297e2e7209ea7ca3682f57d2d1695ad

    • SHA256

      f127cc97b1804964609ab8d528fd50cb1f3310ec2e710eb55c443c8d53362d98

    • SHA512

      0577eb9d8ff2d1ded4e1bce423d679a8e834d504a681d7e1b801dc5f920e126b8dd8dc23359fd88d73a599112e1aa6368d04f6b70d26d4ddb226d3233846ce62

    • SSDEEP

      24576:jyEXRtTci7u/0FLM6nvl/PkbVK7m9s0kI6opDlXabKhYFFfPUeYnTdrrER:2EXtYK4evlUoq2+6oXINchBX

    • Detect Lumma Stealer payload V4

    • Detected google phishing page

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks