General

  • Target

    c921001283ef83c22480a86838160329.exe

  • Size

    37KB

  • Sample

    231229-vzt17sedak

  • MD5

    c921001283ef83c22480a86838160329

  • SHA1

    015b62dc84aac30eadf2228fcc978d7a8adb2950

  • SHA256

    c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce

  • SHA512

    e7967f21f62261fc8fff068e284cebc15bbe2bd3fa02c6b9379c711313c7a1599bf5cb733a9d3342453e6dc16ace411c1cd3dfb6d1028ab4db681b70a70c79b7

  • SSDEEP

    768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.79.30.95:13856

Extracted

Family

stealc

C2

http://5.42.66.57

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      c921001283ef83c22480a86838160329.exe

    • Size

      37KB

    • MD5

      c921001283ef83c22480a86838160329

    • SHA1

      015b62dc84aac30eadf2228fcc978d7a8adb2950

    • SHA256

      c7a2d4deab33d14c5c0df61413662f9c025a289c61378a0cd660d0daf521a0ce

    • SHA512

      e7967f21f62261fc8fff068e284cebc15bbe2bd3fa02c6b9379c711313c7a1599bf5cb733a9d3342453e6dc16ace411c1cd3dfb6d1028ab4db681b70a70c79b7

    • SSDEEP

      768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

    • Detect Lumma Stealer payload V4

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks