General

  • Target

    bf0cbdb53bbd724bb231f0b6958edfc4.bin

  • Size

    27KB

  • Sample

    231230-cldg7ahbbk

  • MD5

    8bd83476c655f8ada89f897f8f79b0ec

  • SHA1

    5def638e5024ff0fb1010a1fde34e5199123232a

  • SHA256

    e45058c32ef783db9ab46f512b31054c644bed2935bd9c0d875bd8908323820b

  • SHA512

    3b94005a11140e090dbf8c46d6386abf4bb6bb78f979925b598dffda3ed43cd05e3ff652b14cd19b9fc114ca98085f8135f36d752d4ff2c4395b3dba873c420b

  • SSDEEP

    768:DUyFGgGqf9w8L4eyhi8VoI45T3CmrOwIbJIc573U:DUTJIk4pV5miyywU

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.79.30.95:13856

Extracted

Family

stealc

C2

http://5.42.66.57

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Targets

    • Target

      41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb.exe

    • Size

      38KB

    • MD5

      bf0cbdb53bbd724bb231f0b6958edfc4

    • SHA1

      d825f3d47987356477f6a1d916a0e34cb581ecc5

    • SHA256

      41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb

    • SHA512

      5073f5f04c954de70247254e1983939c330fa95f11e1d36f615f52a9649e77f8ffa93269ba19b7a734f4528ad5907b3e960414a54ee442dd1e1a70365af1358e

    • SSDEEP

      768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

    • Detect Lumma Stealer payload V4

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks