General

  • Target

    08335bdd48a24722cad27405aa41b915.bin

  • Size

    2.4MB

  • Sample

    231230-bc9ctsgfg8

  • MD5

    bde342adcaca67e3da96dd2603e67ee1

  • SHA1

    e4e3c57e9e84b4195990b378d7a178ccfedf80a2

  • SHA256

    bbfdc5394daee61c1c2652c9d29cfaa3c07658c9d682f22277b800fac6ffe27a

  • SHA512

    df5cf0788a23f8302c8129541b20ff56ffdfcf28cf549740b7e8923eead95c24fa6bf57ae1b9d889ec1ce4a829405b68e7049482784bc82a08c8335edfc25678

  • SSDEEP

    49152:hbBwGHkKP2OCuDk1JewX8mYCg7SKGqnyRr5RliNDMp5afbfOL:hRHkROLInewzYCg7SN5bniNDJQ

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://5.42.66.57

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

Targets

    • Target

      b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb.exe

    • Size

      2.5MB

    • MD5

      08335bdd48a24722cad27405aa41b915

    • SHA1

      176854b69dfab7ec3520e25f90dbc516ff7672d4

    • SHA256

      b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb

    • SHA512

      4897e5818a582646991560b19c32db33aaf0dada0051bd258d153a4234a648be9b4521079fde3041188ddca74005da36ffbacfee6c25947cda6a61aa6b1f148b

    • SSDEEP

      49152:GDKeuUS/fe2a2AN8jrqXgOWqaSyJYhZcn3uOoaX6uKP5P0z4YxAwuLNKRUqHyuHg:QK5UUeOk8jrqXLyW3yuIQKhSwuRWSaHH

    • Detect Lumma Stealer payload V4

    • Detect ZGRat V1

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v15

Tasks