General

  • Target

    872aef68846ab8587a930d7d786a1a51.exe

  • Size

    991KB

  • Sample

    231218-31te3afgg8

  • MD5

    872aef68846ab8587a930d7d786a1a51

  • SHA1

    0c47b4c0c1142d63fffab41705b1bd2945409865

  • SHA256

    44365f98d16e475a1638df59aca02415388a327b2f3738acbea8dfddec202654

  • SHA512

    7cf397633886f4e577573274663d860b0e8a4e798d388b804dde250b7567e53217afe5505a35a753bdbd20b3c18bb1b0631b271c5c0ee3ba7efaedaae2b54e24

  • SSDEEP

    24576:+y/J/5LDd/4k91SgWcFSfEplA4vAvG1A5Ig:N/J/tDdjqgWRsXSGeI

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Targets

    • Target

      872aef68846ab8587a930d7d786a1a51.exe

    • Size

      991KB

    • MD5

      872aef68846ab8587a930d7d786a1a51

    • SHA1

      0c47b4c0c1142d63fffab41705b1bd2945409865

    • SHA256

      44365f98d16e475a1638df59aca02415388a327b2f3738acbea8dfddec202654

    • SHA512

      7cf397633886f4e577573274663d860b0e8a4e798d388b804dde250b7567e53217afe5505a35a753bdbd20b3c18bb1b0631b271c5c0ee3ba7efaedaae2b54e24

    • SSDEEP

      24576:+y/J/5LDd/4k91SgWcFSfEplA4vAvG1A5Ig:N/J/tDdjqgWRsXSGeI

    • Detected google phishing page

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

MITRE ATT&CK Enterprise v15

Tasks