General

  • Target

    956e99770844397eee747191dc6f6a9d.exe

  • Size

    6.1MB

  • Sample

    231219-d8rtrseear

  • MD5

    956e99770844397eee747191dc6f6a9d

  • SHA1

    1e0e8290dec57927b0670d7bc0a15fff66b5fbb5

  • SHA256

    ce654e4934dd045ce89e801a081bfcdcb7a3d6acef665da960daedc13c9557d1

  • SHA512

    5fe3ce96f0890770a8bd4ab4b10b2c66dee1212556cbf647031973c7009305c660e5172a3d30a1d5aeea30d58977eb15e08239ef81a46b2357c1a225fde09225

  • SSDEEP

    196608:AZqyT+82GsoUu/h5Z5w4TgFgHpJeE+Z9PZnTj8:q5z/Uu5e4TEgW9hnE

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

666

C2

195.20.16.103:18305

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Targets

    • Target

      956e99770844397eee747191dc6f6a9d.exe

    • Size

      6.1MB

    • MD5

      956e99770844397eee747191dc6f6a9d

    • SHA1

      1e0e8290dec57927b0670d7bc0a15fff66b5fbb5

    • SHA256

      ce654e4934dd045ce89e801a081bfcdcb7a3d6acef665da960daedc13c9557d1

    • SHA512

      5fe3ce96f0890770a8bd4ab4b10b2c66dee1212556cbf647031973c7009305c660e5172a3d30a1d5aeea30d58977eb15e08239ef81a46b2357c1a225fde09225

    • SSDEEP

      196608:AZqyT+82GsoUu/h5Z5w4TgFgHpJeE+Z9PZnTj8:q5z/Uu5e4TEgW9hnE

    • Detect ZGRat V1

    • Detected google phishing page

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks