General

  • Target

    485691be547b832c29a0d81223b756fc.exe

  • Size

    991KB

  • Sample

    231219-azssxsfhc5

  • MD5

    485691be547b832c29a0d81223b756fc

  • SHA1

    6bb38cbede7d55466cc25d4c3d33e07c4ea59e16

  • SHA256

    433895b81e5ef461f97327e064b25cb40284a44049e6231c0c60e6f54517138a

  • SHA512

    2722634c6cc654e6854d458a3b87521ba0e33addfc6cec9b2373fa98878562e1f334762c1ac0f7efc2a93e7167fe318668cb60aae8932df6983a74572de6e10b

  • SSDEEP

    24576:OyWpUBWQdYhk9Dy9rNZPzlzc62cVSMrgk:dOUcQd1o9rccJ

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      485691be547b832c29a0d81223b756fc.exe

    • Size

      991KB

    • MD5

      485691be547b832c29a0d81223b756fc

    • SHA1

      6bb38cbede7d55466cc25d4c3d33e07c4ea59e16

    • SHA256

      433895b81e5ef461f97327e064b25cb40284a44049e6231c0c60e6f54517138a

    • SHA512

      2722634c6cc654e6854d458a3b87521ba0e33addfc6cec9b2373fa98878562e1f334762c1ac0f7efc2a93e7167fe318668cb60aae8932df6983a74572de6e10b

    • SSDEEP

      24576:OyWpUBWQdYhk9Dy9rNZPzlzc62cVSMrgk:dOUcQd1o9rccJ

    • Detect ZGRat V1

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks