Overview

overview

10

Static

static

3

087f267a17...14.exe

windows7-x64

10

087f267a17...14.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    087f267a177c35b5d313efa4b9013c14

  • Size

    3.8MB

  • Sample

    231230-aqvwxsghap

  • MD5

    087f267a177c35b5d313efa4b9013c14

  • SHA1

    052ac70eb05ae560a882a3f97e73c80be01734e6

  • SHA256

    b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317

  • SHA512

    f13a98b4b2a3cc9e146ec6b58ba844d192962ea443a93f0f0237204818c7de3d4f6538fd40be7a72a53c7efc59c91a80a89539a6b92f4a448358c823b87393a1

  • SSDEEP

    98304:Ub/fEIQBU9HIJ08yFximXbXVdJw1mLPUZ4ygx2EjufjKWtK:UbfEIvdIJ0/xHXDHJwSsZ3rEAjKx

Score
10/10
ffdroiderredlinesectopratsmokeloaderpub2backdoorevasioninfostealerratstealertrojanvmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://128.1.32.84

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

92.119.112.202:13340

Targets

    • Target

      087f267a177c35b5d313efa4b9013c14

    • Size

      3.8MB

    • MD5

      087f267a177c35b5d313efa4b9013c14

    • SHA1

      052ac70eb05ae560a882a3f97e73c80be01734e6

    • SHA256

      b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317

    • SHA512

      f13a98b4b2a3cc9e146ec6b58ba844d192962ea443a93f0f0237204818c7de3d4f6538fd40be7a72a53c7efc59c91a80a89539a6b92f4a448358c823b87393a1

    • SSDEEP

      98304:Ub/fEIQBU9HIJ08yFximXbXVdJw1mLPUZ4ygx2EjufjKWtK:UbfEIvdIJ0/xHXDHJwSsZ3rEAjKx

    Score
    10/10
    ffdroiderredlinesectopratsmokeloaderpub2backdoorevasioninfostealerratstealertrojanvmprotect

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks