General

  • Target

    c0061cc9028a73844f3121fe399ad621.bin

  • Size

    948KB

  • Sample

    231220-d4l3qaachn

  • MD5

    7a5b0d72ee7b01466364bb74c9396214

  • SHA1

    a71e65c849bff46bc188088308d3c34f03eea8a8

  • SHA256

    da8202138db119c47fe43c93c5b918ab2505ed5360dbe1c654713ad17e81c8e8

  • SHA512

    8b75a840134742ac2d2374af7f746b4dce06bc6bb6b8579e93480233f166df55b7ad34f6cf7b6d8c00ca1f5b9356de3a4f289895b692ad12034a5dbfae55d772

  • SSDEEP

    24576:NLZ4bDKADMLaSA0fuB+AfBpwf22LF2TQxxoHA:JZ4/KAQuSZfucA5pwf2tTQxxwA

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://77.91.76.36

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

redline

Botnet

@ytlogsbot

C2

176.123.7.190:32927

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Targets

    • Target

      f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0.exe

    • Size

      992KB

    • MD5

      c0061cc9028a73844f3121fe399ad621

    • SHA1

      8ffa300ebca3ad064d99b590956be68703b8dcc9

    • SHA256

      f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0

    • SHA512

      fec12b2ea21fbcc7fb5a16759b04037754d628d06b61287dc08813a7241cad8e7565e1aa775b79b5c5e7877ba520fa65326514288685429b7c00add734cf1622

    • SSDEEP

      12288:JMrGy90p8E2wB06puJG1TP/XtLgM0VCND/4BW9whUI/l+22w2Z4pTqUt/ZacIa9s:DyU92wAJuLDd/4k9X29yZCT4cz2mur

    • Detect ZGRat V1

    • Detected google phishing page

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks