General

  • Target

    f901fcc963b6755ffab4030b2c4024b2.exe

  • Size

    2.5MB

  • Sample

    231229-s2j8nshec7

  • MD5

    f901fcc963b6755ffab4030b2c4024b2

  • SHA1

    0934d8675790eac367fc6adcc36b36b1baaca73c

  • SHA256

    fc68214ae21bb693cb4dd555bc8eb14fec2d9086da96edbcf8e13bf825c41bce

  • SHA512

    873a0dc3130ff500936d962eee6c0eed136a8c0a554b1be74c6f790f4773af02b195b1aa67ee84fb7bec371e465b0b78d1233398c185e06b808f17a79a5875fe

  • SSDEEP

    49152:Qq57oyty2n2QT8bAG6bya5z9cNu0dVtG+ZR8LgoDbjTsIcQ8LoxBe/f7O3:vnyfi8kG6+chcxdLxWnjBBeX7O3

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

stealc

C2

http://5.42.66.57

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.79.30.95:13856

Targets

    • Target

      f901fcc963b6755ffab4030b2c4024b2.exe

    • Size

      2.5MB

    • MD5

      f901fcc963b6755ffab4030b2c4024b2

    • SHA1

      0934d8675790eac367fc6adcc36b36b1baaca73c

    • SHA256

      fc68214ae21bb693cb4dd555bc8eb14fec2d9086da96edbcf8e13bf825c41bce

    • SHA512

      873a0dc3130ff500936d962eee6c0eed136a8c0a554b1be74c6f790f4773af02b195b1aa67ee84fb7bec371e465b0b78d1233398c185e06b808f17a79a5875fe

    • SSDEEP

      49152:Qq57oyty2n2QT8bAG6bya5z9cNu0dVtG+ZR8LgoDbjTsIcQ8LoxBe/f7O3:vnyfi8kG6+chcxdLxWnjBBeX7O3

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v15

Tasks