General

  • Target

    c833507635537e50f5e884eb8242fea0.bin

  • Size

    27KB

  • Sample

    231229-c58sfafch8

  • MD5

    00ec5047e19bcd93062451eeb282dbf5

  • SHA1

    57b80f265ca9555eda320a95f9f974a43b73612c

  • SHA256

    98ee78a958f247600adfb46ebcf7f6862a383519b946ed06cf0f15273b5f2a92

  • SHA512

    afcea4d80dbedcb124dd507473cb680f8e85c8f38cd8c17089ae4c5b3564c07c6cbd2d33a5d36932cf0a822dd1cfd6b0b7f38dc509ad52b8bfc36af8587e9638

  • SSDEEP

    384:kb2InI9WUEUgvw6qynfR7ElivV2oVU9RlNaLvPiPlYexb:22SI9WUEBvzJ7EN9ReLSPlVb

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.79.30.95:13856

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://5.42.66.58

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .cdqw

  • offline_id

    mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

Targets

    • Target

      de3b0cedbb0ce19fed2c76e7b1d160e8580644820ef5ef4d4e843379fd4c6289.exe

    • Size

      37KB

    • MD5

      c833507635537e50f5e884eb8242fea0

    • SHA1

      b2f9169c79f74f8c32adc2c33c95b5072c2665c3

    • SHA256

      de3b0cedbb0ce19fed2c76e7b1d160e8580644820ef5ef4d4e843379fd4c6289

    • SHA512

      5f5f22bbb9b295b751803f1bda81302f453f21b669966d8649676b4934045838aa23afc5af611290a8296c0fef00ea37fd80e1932c090df639861f8204a8ddb4

    • SSDEEP

      768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Lumma Stealer payload V4

    • Detect ZGRat V1

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • UAC bypass

    • Windows security bypass

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks