General

  • Target

    c8159fa89113ec6fc180ccb76ff3bdc6.bin

  • Size

    27KB

  • Sample

    231229-c52zwsfch6

  • MD5

    10816cef5074a409b083fb18477e6e81

  • SHA1

    341e1f8d370a1778b0f7cf1da5e21fc378b0e41c

  • SHA256

    7c360e39848a4045c9ad6d36ce58501ca4e5fc58aa2aa9edc39b195d5e4d7dfd

  • SHA512

    73cbe0df1177f28f7e70da0d3eda6b9c7ce1614b18b77c051efe36386d912f583cb996ccbd0a94dfdafd19b8f8e4b379d190b2fdc394893333922fe8df5a3a40

  • SSDEEP

    768:Ct9M9buEQusU3GjeLSa+zW/LGvXgzD0Il:CtBEQ7UEemvrYzN

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.79.30.95:13856

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://5.42.66.58

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Targets

    • Target

      bdf0d0149ee88a4b66f6535e6049fa2faf1351a69c7df0146b1fe6964e9c4ad6.exe

    • Size

      37KB

    • MD5

      c8159fa89113ec6fc180ccb76ff3bdc6

    • SHA1

      b7790fa8855c67a1b441b964910e2f1857a79c78

    • SHA256

      bdf0d0149ee88a4b66f6535e6049fa2faf1351a69c7df0146b1fe6964e9c4ad6

    • SHA512

      9db519b90242b75b1d6c61247311d628f820341aa2da4297becae3af837e817d9dd87219fa09e58bd979a3f4d674a54216b1f0a6db6002bbe1ff20fd62a9ba61

    • SSDEEP

      768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks